This page intentionally left blank

Network Security Fundamentals
Eric Cole, Ronald L. Krutz, James W. Conley, Brian Reisman, Mitch Ruebush, and Dieter Gollmann with Rachelle Reese


Wiley 200th Anniversary Logo designed by: Richard J. Pacifico
This book was set in Times New Roman by Aptara, Inc. and printed and bound by R. R. Donnelley. The cover was printed by R. R. Donnelley. Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation. Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, website Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201) 748-6011, fax (201) 748-6008, website To order books or for customer service please call 1-800-CALL WILEY (225-5945).

ISBN 978-0-470-10192-6 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1

Eric Cole is the author of Hackers Beware, Hiding in Plain Sight: Steganography and the Art of Covert Communication, and co-author of Network Security Bible and SANS GIAC Certification: Security Essentials Toolkit (GSEC). He has appeared as a security expert on CBS News, 60 Minutes, and CNN Headline News. Ronald L. Krutz is the author of Securing SCADA Systems and co-author of Network Security Bible, The CISM Prep Guide: Mastering the Five Domains of Information Security Management, The CISSP prep guide: Mastering CISSP and CAP, Securityϩ Prep Guide, and is the founder of the Carnegie Mellon Research Institute Cybersecurity Center. James W. Conley is co-author of Network Security Bible and has been a security officer in the United States Navy and a senior security specialist on CIA development efforts. Brian Reisman is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and Server Components Study Guide, MCSE: Windows Server 2003 Network Security Design Study Guide. He is a technical trainer for Online Consulting, a Microsoft Certified Technical Education Center, and is a contributor to MCP Magazine,, and Mitch Ruebush is co-author of MCAD/MCSD: Visual Basic .NET Windows and Web Applications Study Guide, MCAD/MCSD: Visual Basic .Net XML Web Services and Server Components Study Guide, MCSE: Windows Server 2003 Network Security Design Study Guide. He is a Senior Consultant and Trainer for Online Consulting, Inc. He has been deploying, securing and developing for Windows and UNIX platforms for 14 years. Dieter Gollmann is Professor for Security in Distributed Applications at Hamburg University of Technology. He is also a visiting Professor at Royal Holloway, University of London and Adjunct Professor at the Technical University of Denmark. Previously he was a researcher in Information Security at Microsoft Research in Cambridge. Rachelle Reese has been designing and developing technical training courses for over ten years and has written a number of books on programming. She has an MA from San Jose State University and is also a Microsoft Certified Application Developer (MCAD).

This page intentionally left blank

College classrooms bring together learners from many backgrounds, with a variety of aspirations. Although the students are in the same course, they are not necessarily on the same path. This diversity, coupled with the reality that these learners often have jobs, families, and other commitments, requires a flexibility that our nation’s higher education system is addressing. Distance learning, shorter course terms, new disciplines, evening courses, and certification programs are some of the approaches that colleges employ to reach as many students as possible and help them clarify and achieve their goals. Wiley Pathways books, a new line of texts from John Wiley & Sons, Inc., are designed to help you address this diversity and the need for flexibility. These books focus on the fundamentals, identify core competencies and skills, and promote independent learning. Their focus on the fundamentals helps students grasp the subject, bringing them all to the same basic understanding. These books use clear, everyday language and are presented in an uncluttered format, making the reading experience more pleasurable. The core competencies and skills help students succeed in the classroom and beyond, whether in another course or in a professional setting. A variety of built-in learning resources promote independent learning and help instructors and students gauge students’ understanding of the content. These resources enable students to think critically about their new knowledge and to apply their skills in any situation. Our goal with Wiley Pathways books—with their brief, inviting format, clear language, and core competencies and skills focus—is to celebrate the many students in your courses, respect their needs, and help you guide them on their way.

CASE Learning System
To meet the needs of working college students, Network Security Fundamentals uses a four-part process called the CASE Learning System: ▲ ▲ ▲ ▲ C: Content A: Analysis S: Synthesis E: Evaluation



Based on Bloom’s taxonomy of learning, CASE presents key topics in network security fundamentals in easy-to-follow chapters. The text then prompts analysis, synthesis, and evaluation with a variety of learning aids and assessment tools. Students move efficiently from reviewing what they have learned, to acquiring new information and skills, to applying their new knowledge and skills to real-life scenarios. Using the CASE Learning System, students not only achieve academic mastery of network security topics, but they master real-world skills related to that content. The CASE Learning System also helps students become independent learners, giving them a distinct advantage in the field, whether they are just starting out or seeking to advance in their careers.

Organization, Depth, and Breadth of the Text
▲ Modular Format. Research on college students shows that they access information from textbooks in a non-linear way. Instructors also often wish to reorder textbook content to suit the needs of a particular class. Therefore, although Network Security Fundamentals proceeds logically from the basics to increasingly more challenging material, chapters are further organized into sections that are self-contained for maximum teaching and learning flexibility. ▲ Numeric System of Headings. Network Security Fundamentals uses a numeric system for headings (e.g., 2.3.4 identifies the fourth subsection of Section 3 of Chapter 2). With this system, students and teachers can quickly and easily pinpoint topics in the table of contents and the text, keeping class time and study sessions focused. ▲ Core Content. The topics in Network Security Fundamentals are organized into 12 chapters. Chapter 1, Computer and Network Security Principles, introduces basic terminology and concepts related to security and gets the student thinking about why it is important to take security measures to protect a network and its resources. The chapter begins with an overview of different types of attacks. Next it discusses the three key aspects of security: confidentiality, integrity, and authentication. From there it moves on to discuss risk analysis, including identifying and ranking assets, threats, and vulnerabilities. The chapter concludes with an overview of security policies and standards.



Chapter 2, Network and Server Security, discusses some best practices and techniques for mitigating the risk to servers on your network. It begins with a review of the Open Systems Interconnection (OSI) model to ensure that students are familiar with various protocols and the layers at which they operate. From there it moves on to discuss some best practices when securing a network: security by design and defense in depth. Next it presents some techniques for reducing the attack surface of a server. The chapter concludes with a look at perimeter security, including firewalls and Network Address Translation (NAT). Chapter 3, Cryptography, introduces the fundamental principles of cryptography and discusses various ways it is used to provide network and computer security. The chapter begins with a brief history of cryptography and introduces the cast of characters commonly used to describe cryptographic scenarios. Next it discusses symmetric encryption and introduces the problem of how to share symmetric keys. From there it moves on to discuss asymmetric encryption and one of its common uses, digital signatures. Next it looks at the role of hashes. The chapter then brings the cryptographic techniques together to examine how they can be used to provide confidentiality, integrity, and authentication. The chapter concludes with an overview of public key infrastructure (PKI), using Microsoft®’s Certificate Services as an example of how you can implement a PKI. Chapter 4, Authentication, discusses the importance of authentication and how credentials can be used to prove the identity of a user or computer. The student is first introduced to some key authentication and concepts, including the entities that must be authenticated, single sign-on, and mutual authentication. Next the chapter examines the types of credentials that can be used to prove the identity of a user or computer. The chapter then looks at some protocols used for network authentication. The chapter concludes with a look at best practices, including using strong passwords and limiting the times during which or locations from which a user can log on. Chapter 5, Authorization and Access Control, introduces students to concepts and procedures related to limiting who can access resources on a network. The chapter begins by discussing types of access control that have been used historically and that are used today, including mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Next it examines how access control is managed on a Windows® network. The chapter concludes with a look at access control in a Unix® or Linux environment.

and other types of malicious code. examines the different roles servers play on a network and discusses ways to mitigate the threats associated with specific server roles. Chapter 8. It begins with a discussion of the dangers of modems and how to secure a network that allows dial-in access. Chapter 7. From there it moves on to discuss how Remote Authentication Dial-in User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS) can be used to centralize authentication for remote access clients. and Windows Internet Name Service (WINS) servers. deals with security considerations for a network that extends past the traditional WAN. Transport Layer Security (TLS). Dynamic Host Configuration Protocol (DHCP). worms. The chapter then discusses issues related to securely browsing web sites. spyware. Remote Access and Wireless Security. The chapter concludes by examining the threats introduced through wireless networking and steps you can take to mitigate those threats. The chapter begins with a look at some attacks that target network services and packets on the network. Ongoing Security Management. Chapter 9. looks at various types of malware and steps to take to protect computers against viruses. The chapter concludes with a look at risks specific to email and how to mitigate them. and how to mitigate them. Server Roles and Security. including Secure Sockets Layer (SSL). examines some key considerations for keeping a network secure. It concludes with a look at some protocols that can be used to encrypt data on the network. Protecting Against Malware. It then discusses steps to take to secure domain controllers. The chapter begins by discussing establishing a security baseline for the servers on a network. Next it examines risks specific to infrastructure servers. Next it looks at considerations for securing file and print servers. The chapter begins by defining the types of malware that typically pose a threat to computers. and IP security (IPsec). including domain name system (DNS).x PREFACE Chapter 6. Next it looks at virtual private networks (VPNs). Next it discusses anti-malware programs and the importance of user education in preventing attacks. Next it examines some strategies for segmenting a network and securing network perimeters. Securing Network Transmission. focuses on securing network perimeters and data in transit on the network. such as web and database servers. The chapter concludes with a look at security issues specific to application servers. Chapter 10. It begins with a discussion .

This bulleted list focuses on subject matter that will be taught. It tells students what they will be learning in this chapter and why it is significant for their careers. including procedures for preserving evidence and investigating the extent and methods used in an attack. Next. the chapter examines strategies for both in-band and out-of-band remote management. The chapter concludes with a look at forensics. It begins by discussing three types of plans a company should have in place to define recovery procedures when a disaster or attack occurs. The chapter concludes with a look at fault tolerance technologies. This list emphasizes capabilities and skills students will learn as a result .com/college/cole. the self-test provides students with a benchmark against which they can measure their own progress. but it also helps students anticipate the chapter’s learning outcomes. By focusing students’ attention on what they do not know. The pre-test is available online at www. it discusses the importance of auditing and ongoing monitoring. include Redundant Array of Independent Disks (RAID) and failover configurations. Chapter 12. it covers the importance of backups.PREFACE xi of strategies for ensuring that operating systems and applications are kept up-to-date with the latest security patches. Chapter 11. ▲ Pre-test. Pre-reading Learning Aids Each chapter of Network Security Fundamentals features the following learning and study aids to activate students’ prior knowledge of the topics and to orient them to the material. You’ll Be Able To. examines the importance of planning for the worst. ▲ What You’ll Learn in This Chapter. Disaster Recovery and Fault Tolerance. Finally. Intrusion Detection and Forensics.wiley. Next. introduces students to techniques used to detect a potential attack and analyze the nature of an attack. Next. It will also help students understand why the chapter is important and how it relates to other chapters in the text. The chapter begins with a look at intrusion detection systems (IDS) and how they can be used to provide advance warning of an impending attack. it looks at how honeypots can be used to analyze an attacker’s methods. This pre-reading assessment tool in multiple-choice format not only introduces chapter material. ▲ After Studying This Chapter.

▲ Key Terms and Glossary. these boxes tie section content to real-world examples. access. Though the questions may either be discussed in class or studied by students outside of class. this battery of short answer questions emphasizes student understanding of concepts and mastery of section content. Evaluation and Assessment Tools The evaluation phase of the CASE Learning System consists of a variety of within-chapter and end-of-chapter assessment tools that test how well students have learned the material. ▲ Self-Check. Tables distill and present information in a way that is easy to identify. To help students develop a professional vocabulary. These tools also encourage . enhancing the focus of the text on essential ideas. Knowledge of key terms is assessed by all assessment tools (see below). students should not go on before they can answer all questions correctly. and to relate it to the real world. and applications. ▲ “For Example” Boxes. Within-text Learning Aids The following learning aids are designed to encourage analysis and synthesis of the material. Each chapter concludes with a summary paragraph that reviews the major concepts in the chapter and links back to the “What You’ll Learn” list. This section orients the student by introducing the chapter and explaining its practical value and relevance to the book as a whole.xii PREFACE of reading the chapter. and understand. ▲ Summary. Related to the “What You’ll Learn” bullets and found at the end of each section. Short summaries of chapter sections preview the topics to follow. and ensure success during the evaluation phase: ▲ Introduction. A complete list of key terms appears at the end of each chapter. Found within each section. Line art and photos have been carefully chosen to be truly instructional rather than filler. along with brief definitions. It sets students up to synthesize and evaluate the chapter material. appears in a glossary at the end of the book. scenarios. support the learning process. key terms are bolded when they first appear in the chapter. ▲ Figures and tables. and all the key terms.



students to extend their learning into different scenarios and higher levels of understanding and thinking. The following assessment tools appear in every chapter of Network Security Fundamentals: ▲ Summary Questions help students summarize the chapter’s main points by asking a series of multiple choice and true/false questions that emphasize student understanding of concepts and mastery of chapter content. Students should be able to answer all of the Summary Questions correctly before moving on. ▲ Applying This Chapter Questions drive home key ideas by asking students to synthesize and apply chapter concepts to new, real-life situations and scenarios. ▲ You Try It Questions are designed to extend students’ thinking, and so are ideal for discussion or writing assignments. Using an open-ended format and sometimes based on web sources, they encourage students to draw conclusions using chapter material applied to real-world situations, which fosters both mastery and independent learning. ▲ Post-test should be taken after students have completed the chapter. It includes all of the questions in the pre-test, so that students can see how their learning has progressed and improved.

Instructor Package
Network Security Fundamentals is available with the following teaching and learning supplements. All supplements are available online at the text’s Book Companion website, located at ▲ Instructor’s Resource Guide. Provides the following aids and supplements for teaching a network security fundamentals course: ● Teaching suggestions. For each chapter, these include a chapter summary, learning objectives, definitions of key terms, lecture notes, answers to select text question sets, and at least 3 suggestions for classroom activities, such as ideas for speakers to invite, videos to show, and other projects. ▲ PowerPoint Slides. Key information is summarized in 10 to 15 PowerPoint® slides per chapter. Instructors may use these in class or choose to share them with students for class presentations or to provide additional study support. ▲ Test Bank. One test per chapter, as well as a mid-term, and two finals: one cumulative, one non-cumulative. Each includes



true/false, multiple choice, and open-ended questions. Answers and page references are provided for the true/false and multiple choice questions, and page references for the open-ended questions. Questions are available in Microsoft Word and computerized test bank formats.

Student Project Manual
The inexpensive Network Security Fundamentals Project Manual contains activities (an average of five projects per textbook chapter) designed to help students apply textbook concepts in a practical way. Easier exercises at the beginning graduate to more challenging projects that build critical-thinking skills.

Taken together, the content, pedagogy, and assessment elements of Network Security Fundamentals offer the career-oriented student the most important aspects of the network security field as well as ways to develop the skills and capabilities that current and future employers seek in the individuals they hire and promote. Instructors will appreciate its practical focus, conciseness, and real-world emphasis. We would like to thank the reviewers for their feedback and suggestions during the text’s development. Their advice on how to shape Network Security Fundamentals into a solid learning tool that meets both their needs and those of their busy students is deeply appreciated. We would especially like to thank the following reviewers for their significant contributions: Delfina Najera, El Paso Community College Jan McDanolds, Kaplan University Laurence Dumais, American River College We would also like to thank Carol Traver for all her hard work in formatting and preparing the manuscript for production.

This page intentionally left blank

1 2 3 4 5 6 7 8 9 10 11 12 Computer and Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . 1 Network and Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Authorization and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Securing Network Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Server Roles and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Protecting Against Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Ongoing Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Fault Tolerance and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

This page intentionally left blank

1 Network Security Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Importance of Computer and Network Security . . . . . . . . . . . . . . 2 1.1.1 Exposing Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 Causing System Failures. . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.3 Profile of an Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.4 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.5 Security Defined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2 Underlying Computer and Network Security Concepts . . . . . . . . 6 1.2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.4 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.2.5 Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.3 Threats and Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.3.1 Assessing Assets, Vulnerabilities and Threats to Calculate Risk . . . . . . . . . . . . . . . . . . . . . . 12 1.3.2 Calculating Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.3.3 Countermeasures—Risk Mitigation . . . . . . . . . . . . . . 16 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.4 Policies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.4.1 Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.4.2 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.4.3 Informing Users of the Importance of Security . . . . . . 23 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Network and Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.1 Network Protocols Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.1.1 Understanding Protocols . . . . . . . . . . . . . . . . . . . . . . 31 2.1.2 The Open Systems Interconnect Model . . . . . . . . . . . 32







2.1.3 The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.1.4 TCP/IP Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Best Practices for Network Security . . . . . . . . . . . . . . . . . . . . . . 45 2.2.1 Security by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.2.2 Maintaining a Security Mindset . . . . . . . . . . . . . . . . . 47 2.2.3 Defense-in-Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Securing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.3.1 Controlling the Server Configuration . . . . . . . . . . . . . 49 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Border Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 2.4.1 Segmenting a Network . . . . . . . . . . . . . . . . . . . . . . . . 57 2.4.2 Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 2.4.3 Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 2.4.4 Network Address Translation . . . . . . . . . . . . . . . . . . . 65 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73


Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 3.1 Cryptography Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 3.1.1. A Brief History of Cryptography. . . . . . . . . . . . . . . . . 75 3.1.2 Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . . 79 3.1.3 XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.1.4 Cast of Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.2 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.2.1 Understanding Symmetric Encryption . . . . . . . . . . . . 83 3.2.2 Encryption Strength . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.2.3 Stream Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.2.4 Block Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.2.5 Sharing Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 3.3 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 3.3.1 Ensuring Confidentiality with Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . 91






3.3.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 3.4.1 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 3.4.2 Using Hash Functions to Ensure Integrity . . . . . . . . . 94 3.4.3 A Vulnerability When Protecting Passwords . . . . . . . . 94 3.4.4 Creating Pseudorandom Data with Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 3.4.5 Keyed Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . 96 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Achieving CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 3.5.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 3.5.2 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 3.5.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 3.5.4 CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Public Key Infrastructure (PKI). . . . . . . . . . . . . . . . . . . . . . . . . . 99 3.6.1 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 3.6.2 Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . 100 3.6.3 Designing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . 103 3.6.4 Security Policy and PKI Implementation . . . . . . . . . 107 3.6.5 Trusting Certificates from Other Organizations . . . . 108 3.6.6 Creating an Enrollment and Distribution Strategy . . . . . . . . . . . . . . . . . . . . . . . . 110 3.6.7 Renewing Certificates . . . . . . . . . . . . . . . . . . . . . . . . 110 3.6.8 Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . 111 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117


Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.1 Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.1.1 Interactive Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.1.2 Peer-to-Peer Network Logon . . . . . . . . . . . . . . . . . . 120 4.1.3 Computer Authentication. . . . . . . . . . . . . . . . . . . . . 120 4.1.4 Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . 121 4.1.5 Application Authentication . . . . . . . . . . . . . . . . . . . 123 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125






Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.2.1 Password Authentication . . . . . . . . . . . . . . . . . . . . . 125 4.2.2 One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . 128 4.2.3 Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.2.4 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4.3.1 LAN Manager-Based Protocols . . . . . . . . . . . . . . . . . 131 4.3.2 Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Best Practices for Secure Authentication . . . . . . . . . . . . . . . . . . 136 4.4.1 Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.4.2 Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . 139 4.4.3 Account Logon Hours . . . . . . . . . . . . . . . . . . . . . . . 140 4.4.4 Account Logon Workstation. . . . . . . . . . . . . . . . . . . 140 4.4.5 Auditing Logons. . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148


Authorization and Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 5.1 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 5.1.1 Discretionary Access Control (DAC). . . . . . . . . . . . . 150 5.1.2 Mandatory Access Control (MAC) . . . . . . . . . . . . . . 151 5.1.3 Role-Based Access Control (RBAC). . . . . . . . . . . . . . 152 5.1.4 Principle of Least Permission . . . . . . . . . . . . . . . . . . 154 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.2 Implementing Access Control on Windows Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.2.1 Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 5.2.2 Windows Access Control Model. . . . . . . . . . . . . . . . 161 5.2.3 Understanding Active Directory Object Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . 163 5.2.4 Designing Access Control for Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5.2.5 User Rights Assignment . . . . . . . . . . . . . . . . . . . . . . 172 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173




Implementing Access Control on Unix Computers . . . . . . . . . . 174 5.3.1 Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 5.3.2 Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187


Securing Network Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 6.1 Analyzing Security Requirements for Network Traffic . . . . . . . . 189 6.1.1 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 6.1.2 Considerations for Designing a Secure Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 6.1.3 Securely Transmitting Data. . . . . . . . . . . . . . . . . . . . 193 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 6.2 Defining Network Perimeters . . . . . . . . . . . . . . . . . . . . . . . . . . 195 6.2.1 Isolating Insecure Networks Using Subnets . . . . . . . 195 6.2.2 Switches and VLANs . . . . . . . . . . . . . . . . . . . . . . . . 196 6.2.3 Using IP Address and IP Packet Filtering . . . . . . . . . 199 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 6.3 Data Transmission Protection Protocols . . . . . . . . . . . . . . . . . . 201 6.3.1 SSL and TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 6.3.2 IP Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . 205 6.3.3 Server Message Block Signing. . . . . . . . . . . . . . . . . . 211 6.3.4 Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Remote Access and Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 7.1 Dial-Up Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 7.1.1 Dial-Up Networking Protocols . . . . . . . . . . . . . . . . . 222 7.1.2 Dial-Up Networking Authentication Protocols . . . . . 223


. . . . . . . . . . . . 236 7. . . 240 7. . . . . . 228 7. . . . . . . .4. . . . .4.4 Preventing Access to the Network . .1. . . . . .1. . . . 237 Self-Check . . . . . . . . . . . . .1 Trusted Computing Base . . . . . . . . . . . . . . . . .7 802.5 WiFi Protected Access (WPA). . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . .1 Server Roles and Baselines . . . . . . .4 Wired Equivalent Privacy (WEP) . . . . . . . . .5 Security Configuration Wizard . . . .2 Secure Baseline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Virtualization . . . . . . . . . . . . . . . . . . . . . . . 258 Applying This Chapter . . . . . . . 230 7. . . . . . . . .4. . . . . . . . . 259 You Try It . . . . . . . . . . . . . . . 255 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 7. . . . .1. . . . . .6 Secure Baseline Configuration for Linux Servers. . . . . . . .4. . . . . . . . . . . . . . . . . . . . 253 7. . . . . . .1. .1 Using RADIUS Authentication . . . . . . 262 Introduction.9 Identifying Wireless Network Vulnerabilities . . 263 8. . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Wireless Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Virtual Private Networks.3 Preparing to Implement the Baseline . . . . . . . . . 263 8. . . 241 7. . . . .4. . . . . . . . . . . 272 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11i . . . . 235 RADIUS and TACACS . . . . . 229 Self-Check . . . . . . . . . . . . . . 239 Wireless Networks . . . . . . . . . . . . . 244 7. . . . . .2 L2TP and IPsec . . . . . . . . . . . 264 8. . . . . . . . . . 253 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . 235 7. . . . . . . . . . . . . . 258 Summary Questions . . . . .3 Preventing Intruders from Connecting to a Wireless Network. . . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 . . . . . . . . . . . . . . . . . . .1x . . .4 Security Templates . . . . .6 802. . . . . . . . . . . . . . . . . .2 Using TACACS and TACACSϩ . 239 7. . . . . . .3. . . . . . . . . . . . . . . . . .3 Hardware VPN Solutions . . . . . .1 Wireless Networking Standards . . . 265 8. 265 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 8 Server Roles and Security . . . . . . . . . . . . .1.4 7. . . . . . . . . . . . . . . . . . . . . . . . . . 231 7. . . . . . . . . .2. . . . . . . . . . 252 7. . . . . . . . . . . . . . . . . . .3 Limiting Dial-Up Access. .3. . . . .1. . . . . . . . . . . . 234 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiv CONTENTS 7. .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . 255 Summary . . . 263 8. . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . 273 Self-Check . . . . . . . . . . . . . . . . 246 7. . . . . . . . . . . . . . . . . . . . . . . . . . 233 7. . . . . . 239 7. 270 8. .2.1 Point-to-Point Tunneling Protocol (PPTP) . 255 Key Terms . . . . . . . . . . . . . . . . . . . . .1. . .2 7. . . . . . . . . . .8 Designing for an Open Access Point . . .3 7. . . . .

. . . . . . . . . . . . . . . 317 9. . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . . . . . . . . 295 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 8. . . . . . . . . . . . . . . . . .1. . . . . . . . .2 Worms . . . . . . . 312 9. . . . . . . . . . . . .1. . . . . . . . . . . . . . 311 9. 289 Securing Domain Controllers . . . . . . . . . . 315 9. . . 292 Securing File and Print Servers . . . . . . . . . . 289 Self-Check . . . . . . . . . . 293 8. . . . . . . . 323 . . . . . . . . . . . . . . . . . . . . . .2. 317 9.1 Securing File Servers . 311 9. . . . . . . . . . . . . . . . . . . . 306 Applying This Chapter . . . . . . . . . . . .3 Computer Configuration Guidelines . . . . . . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 9 Protecting Against Malware. . . . . . . . . . . . . . . . . .1 Viruses . . . . . . . . . . . . . . 304 Summary . . .1 Antivirus Software . 301 Self-Check . . . . . . . . . . . . . . . . 298 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . .2. . . . . 313 9. . . . . . . 312 9. . . 288 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 You Try It . . . . . . . . . . . . . . . . . . 287 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Securing Web Servers.4 User Training . . . . . . . . 284 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Self-Check .2. . . . . . . . . . . . . . . .2 Anti-Spyware . . . . . . . . . . . . . . . . .3 Trojan Horses . . 298 8. . . 274 8. . . . . . . . . . . . . . 314 9. . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 9. . . . . . . . . . . . . . . .1 Viruses and Other Malware . . . . . . . . . . . . . . . . . . . . . . . . . . .2 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Securing WINS Servers . . . . . . . .2 Protecting the Workstation .4. . . . . . . . . . . . .2 Securing DHCP Servers . . . . . . . . . . . . 310 Introduction. . . . .4 Browser Parasites . . . . . . . . . . . . . . . . . .4 8. . . . . . . . . . . . . . . . . .2 Securing Print Servers . . . . . . . . . . . . . . . . . . . . . . . 297 Securing Application Servers . . . . . . 304 Assess Your Understanding. 306 Summary Questions . . . . . . . .6 Backdoors . . . . .2. . . . . .5 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Securing DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 8. . . . . . . . . . . . . . . . . . . . . . . . 313 Self-Check . . . . . . . . . . . . . . . . . . . . . . . .5 Securing NAT Servers. . . . . . . . . . . .4.2. . .5 Securing Network Infrastructure Servers . . . . . . . . . . . . . . . . . . . . . . . . . . .2.3 Securing FTP Server . . . . 304 Key Terms . . . . . .4. . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 9. . . . . . . . . . . . . . . 311 9. . . . . . 289 Self-Check . . . . . . . .4 Securing Remote Access Servers . . . . . .2. . . . . . . . . .2 Securing Database Servers . . . . . . . . . .CONTENTS xxv 8. . . . . . . . . . . . .5. . . . . . . . . . . . . . . . 275 8. .3 8. . . . .

. . . . . . . . . . . . . . . . . . . . 352 Applying This Chapter . . . . . . . . . . . . .2 Web Browser Technologies . . . . . . . . . . . . . . 365 10. . . . . . . . . . . . . 350 Assess Your Understanding. . . 371 10. 355 10 Ongoing Security Management . 358 10. . . . . . 334 9. . . .6 Configuring SUS Clients. . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . 360 10. .1 Security Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . 360 10. .2.1. . . . . . . . .3 Protecting Against Malcode Propagated by Email 345 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 9. . . . . . . . . . . . . .6 Configuring Web Features in Firefox . . . .1 Attacks that Disclose Data . . . . . . . . . . . 366 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . .3 Specific Threats to a Browser Session . . . . . . . . . . . . . . . 342 9. . . . . . . . . . .1. . . .4. . . . . . . . . . . . . . . . . . . . . . . . .2. . .4 Creating a Security Update Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . .xxvi CONTENTS 9. 357 10.3 Secure Remote Administration . .1 Creating a Remote Management Plan .2 Spam . . . . . .5 Architectural Considerations . . . . . . . . . . . 374 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 9. . . . 353 You Try It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Monitoring . . . 356 Introduction. . 336 Email Security . . . . . . . . 350 Key Terms . . . . .3. . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 10. . . . . . . . . . . . . . . .3. 362 Self-Check . . . . . 357 10. . . . . 372 10. . 368 10. .3 9. . 349 Summary . . . . . . . . . . . . . . .2 Remote Management Security Considerations . . . . . . . .3. . . . . 336 9. . . .3. . . . 346 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 9. . . . . . . . . . . . . . .3 Importance of Automating Updates . . . . . . . . . . . . . . . . .1. . . . . .1 Managing Updates . . . . . .4 Web Browser Security. . .1 Configuration Management . . . .3. 327 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 10. . . . . . .4 Auditing in Windows . 347 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Auditing and Logging . . . . . . . . . . . . . .4. .5 A WSUS Solution . 368 10. . . . . . .2 Understanding the Components of Configuration Management . . . . . .4 Mail Client Configurations . . . . . . . .3 Auditing on Unix . . . . . . 329 9. . . . . . . 352 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . 369 Self-Check . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . .1 Web Browser Risks . . . . . . . . . . . . . . . . . . . . .4 Browser Configuration . . 323 9. . . . . . . . . .4. . . . . . . . . . 366 10. . . .2. . . . . . . . . . . . . . . . . .5 Internet Explorer Security Zones . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . . . .3. 362 10. . . . . . . . . . . . . . . . . . . . . . 336 Self-Check . . .

425 Self-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Storage Area Networks (SANs) . . . . . . . . . . .1 Eliminating Single Points of Failure . 427 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Introduction. . .2 Backing Up System Configurations . . . . . . . . 427 Assess Your Understanding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . .3 10. . . . . . . . . . .3. . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Disaster Recovery Planning . . . . . . .1.6 Planning Remote Management Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Summary Questions .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Designing for Emergency Management Services . . . . . . . . . . . . . . .2 Creating a Backup Strategy . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . 408 11. . .3. . .4 Choosing Between Hardware and Software RAID . . . . . 414 Self-Check . . . . . . . 421 11. . . . . . . . . . . . 375 Securing Windows Inbound Management Tools. . . . . . . . . . . . . . . . .6 Determining Backup Frequency . . 415 11. . . . . . .3 RAID Levels . . . 407 11. . 409 11. .1 Analyzing Backup Requirements . . . 432 Intrusion Detection and Forensics . . . . . . . . . . . . . . . . 416 11. . . . .2 Selecting Fault Tolerant Storage . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . . . 411 11. . . . . . . . . . . . . . . . . . . .3. 399 11. . . . . . . . . . 433 Introduction. .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Choosing a Backup Tool. . .3 Designing an Incident Response Procedure . . 430 You Try It . . . . . . 396 11. . 413 11. . . . . . 423 11. . . . . . . . . . . .3. . . . . . . . . . . . .7 Assigning Responsibility for Backups . . 408 11. . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . .6 Designing a Failover Solution. . 396 11. . . . . . . 427 Key Terms . . . . . . . . . . . 434 12. . . . . . . . . . . . . . . . . . . . .3 Designing for Fault Tolerance . . . . 429 Applying This Chapter .3. . . . . . .2. . . . . . . . . .5 Determining the Types of Backup . . . . . . . . . . . . 410 11. . . .3. . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . .8 Testing Recovery . . . . . . . . . . 407 11. . . . . . . . . . . . . . . . . . . .2. . . . . . . . 434 12 . . . . . . . . . . . . . . . . . . . . . . . . .1 Intrusion Detection . . . . 389 11 Disaster Recovery and Fault Tolerance . . . . . . .4 10. . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . . . .1 Planning for the Worst . . . . . . . . . . . . . . . . . . . . . .4 Choosing the Backup Media. . . . . 414 11. . . . . . . . . . . . . . . . 407 11. . 403 Self-Check . . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Securing TCP/IP Remote Management Tools . . . . . .CONTENTS xxvii 10. . . . .1 Business Continuity Planning. . . . . . . . . . . . . . . . . . . . . . . .5 10. . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . 415 11. . . . . . . . . . . . . . 416 11. . . . . . . . . . . . . . 383 Self-Check . . . . . . 396 11. . . . . . . . . .

. . . . 459 Applying This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . .3. 439 Honeypots . . . . . . . . . . .3 When to Use a Honeypot . . . . . . . . . 462 Index . . . . . . . . . . . . . . . . Detecting. . .2. . . . . 445 12. . . . . . . . . . . . . . . . . . . . . . . . . and Responding to Attacks . . . . . . . . . . . . 444 12. . . . . . . . . . .3 IDS Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 12. . . . . . . . . . . . . . .3 Preparing a Hard Drive Image . . 448 12. . . . . . . . . . . . . . . . . . . . . . . 460 You Try It . . . . . .3. . . . . . . 450 Self-Check . . . . . . . .2 Intrusion Detection Systems (IDS) .2. . . .xxviii CONTENTS 12. . . . . . . . . . . . . 444 Forensics . . . . .1 Intrusion Detection and Response . . . . . . . . 461 Glossary. . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Assess Your Understanding. . . . . .1. . . . . . . . . . . . . . 434 12. . . . . . . . . . . . . 440 12. . . . . . . . . . . . . . . . . . . .4 Legal Considerations . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 12. . . .1 Preventing. . . . . . . . . . . . . . . . . . . 507 . . . . . . .2. . . . . . . . . . . . . . . . 459 Summary Questions . . . . . . . . . . . . . . . . . . . . . . . . . . .2.1. . . 457 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . . . . . . . .2 12. . . . . . . 457 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 12. . . . . 439 12. . . . . . . . . .2 Gathering Evidence on a Live System . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. . . . 443 Self-Check . . . . . . 441 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Understanding Evidence . . . 444 12. . . . . . . . . . 439 Self-Check . . . . . . . . . . .2 Honeypot Categories . . . . . . . . 434 12. . . . . . . . . . . . . . . . . . . .4 Intrusion Prevention Systems (IPS) . . .4 Searching for Data on a Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

procedures. You’ll Be Able To ▲ Identify the key aspects of security and explain why they are important to a business ▲ Describe how social engineering presents a security risk ▲ Compare quantitative risk analysis and qualitative risk analysis ▲ Identify assets and assess their value ▲ Identify vulnerabilities and assess their criticality ▲ Identify threats and assess their likelihood ▲ List the elements of the ISO 17799 standard and describe how they relate to network security . and standards After Studying This Chapter.wiley. Determine where you need to concentrate your effort. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ Why networks need security Types of attacks Key aspects of security Threat analysis Social engineering Security to assess your knowledge of computer and network security fundamentals.1 COMPUTER AND NETWORK SECURITY PRINCIPLES Starting Point Go to www.

The basic Internet protocols provide no confidentiality protection. When securing a single computer. Then the chapter introduces threat modeling and risk mitigation. Next the chapter looks at the key aspects you need to consider when implementing security on a computer or network. you are concerned with protecting the resources stored on that computer and protecting that computer from threats. 1. Figure 1-1 illustrates two potential attacks on your private financial data. These examples should get you thinking about what could happen if computer and network security is not implemented. For example. The chapter concludes with an introduction to security policies and procedures. the first section of this chapter describes some potential threats to computer security at a general level.2 COMPUTER AND NETWORK SECURITY PRINCIPLES INTRODUCTION When you begin to learn about computer and network security. in the spring of 2005. but other network devices. Think about the vulnerability of the data you store on your cell phone or on your personal digital assistant (PDA). and the data being transmitted across the network. you will learn to appreciate the importance of computer and network security by looking at a few examples of attacks that could occur. network transmission media. The main purpose of this chapter is to get you thinking about the things that can happen when security is not implemented on a computer or network—to increase your paranoia a little—and to give you a foundation in some key security concepts. so parties located between customer and merchant could capture credit card numbers and use them later for fraudulent purchases. We’ll also define security as it will be used in the context of this book.1 Importance of Computer and Network Security Computer security involves implementing measures to secure a single computer. 1. Therefore. Do you use passwords that are hard to guess to protect it? Similar confidentiality concerns are raised by the use of credit cards to make purchases over the Internet.1 Exposing Secrets The more wired our society becomes.1. the more our confidential data is subject to being discovered by those who will use it maliciously or for their own benefit. hackers discovered the password to Paris Hilton’s T-Mobile© Sidekick© and published her address book and other personal information on the Internet. In this section. You must consider not only the computers on the network. Network security involves protecting all the resources on a network from threats. Secure Sockets Layer (SSL) was developed . you need to understand why you’re doing so.

Identity theft. using somebody else’s “identity” (name. There is documented evidence that such attacks have occurred. Transport Layer Security (TLS) offers stronger protection than SSL and is gradually replacing it. the protocol used on the World Wide Web. such as Internet browsers or email software. Instead.2 Causing System Failures Some attackers are not after confidential data.) to gain access to a resource or service. which provides encryption of data sent using Hypertext Transfer Protocol (HTTP). they want to disrupt business. Badly protected servers at a merchant site that hold a database of customer credit card numbers are a much more rewarding target. social security number. Vulnerabilities in software that accepts user input. SSL defines the Hypertext Transfer Protocol over SSL (HTTPS). These attackers use a variety of techniques to cause damage.1. bank account number. that is. by Netscape® to deal with this very problem. The Internet worm of November 1988 is an early well-documented example of this species. Worms and viruses make use of overgenerous features or vulnerabilities to spread widely and overload networks and end systems with the traffic they generate. Attackers might corrupt data on the device itself or use the device as a stepping stone for attacks against third parties. its use does not mean your credit card number is safe.1 IMPORTANCE OF COMPUTER AND NETWORK SECURITY 3 Figure 1-1 Unauthorized access CC# Your computer Intercept E-commerce Server Data Risks of using an e-commerce website. 1. exploits an inherent weakness in services that use nonsecret identifying information to authenticate requests. etc. Although SSL and TLS can protect data while it is being sent across the Internet (or another unsecured network). Scanning Internet traffic for packets containing credit card numbers is an attack strategy with a low yield. either to obtain credit card numbers or to blackmail the merchant.1. Denial-of-service attacks against specific targets have started to . can allow external parties to take control of a device. Another potential risk is identity theft.

Attacker Motivation It has been said that the goal of security engineering is to raise the effort involved in an attack to a level where the costs exceed the attacker’s gains. not computers.3 Profile of an Attacker In the scenarios described above. Attacker Expertise There is similar variance in the expertise required to break into a system. Hackers might want to demonstrate their technical expertise and might draw particular satisfaction from defeating security mechanisms that have been put in their way. Although there have been some very high profile attacks via the Internet. When designing security. Some attacks require deep technical understanding. Understanding your enemy is a good first step in learning how to defeat him or her.1. Employees who have been fired might want revenge on their former employers. In some cases insider knowledge will be required to put together a successful attack plan. Not every attacker is motivated by a wish for money. A social engineering attack is one that involves people. In this respect. Hassling computer operators on the phone to give the caller the password to a user account is a favorite ploy. social engineering could be more important than technical wizardry. insider fraud remains a considerable concern in organizations and in electronic commerce transactions.4 COMPUTER AND NETWORK SECURITY PRINCIPLES occur in the last decade. This . Cyber vandals might launch attacks without much interest in their consequences. the attacks come from the outside. attackers who have little insight into the vulnerabilities or features of a system. Other attacks have been automated and can be downloaded from websites so that they can be executed by script kiddies. 1. typical statistics for the sources of attacks show that attacks from insiders account for a majority of incidents and the largest proportion of damages. Resilience against denial-of-service attacks has become a new criterion in the design of security protocols.1.4 Social Engineering One of the common ways attackers gain information is through social engineering. A denial-of-service attack is one that prevents a server from performing its normal job. Keeping the enemy outside the castle walls is a traditional paradigm in computer security. but use scripts to launch attacks. Such advice might be short-sighted. However. it helps to understand something about why hackers attack and their different levels of expertise. Political activists might deface the websites of organizations they dislike or launch attacks on a politician’s site so that visitors are redirected to a different site. 1.

Besides. organizational hierarchy. ▲ An attacker sifts through documents in the trash bin to discover employee names. You explain that a password should be a secret that only a single person knows because that password gives them access to confidential files. to the server room. The person asks for the user’s name and password so they can verify the user’s network settings.1. The attacker is allowed access to a computer— or worse. As long FOR EXAMPLE A Network Without Security You have been hired at a small company as a network administrator. The best way to prevent a social engineering attack is by educating employees about unsafe practices. The company has been using peer-to-peer networking to allow users to share files.5 Security Defined Software might crash. “You know. we’re not even connected to the Internet.” he says. You give the example of a disgruntled employee who leaves with the customer list. When you raise concerns to the owner of the company. These are just a few examples of social engineering attacks. 1. Your first job is to figure out how I can protect my company from an attack that compromises its confidential data. hardware components might fail. You ask the owner to think about the kinds of data that are stored on each person’s computer and what would happen if the data fell into the wrong hands. The following are some examples of social engineering attacks: ▲ An attacker calls an employee on the phone claiming to be an administrator.1. The company does not have a security policy and users frequently share their passwords with other users so that they can share files.1 IMPORTANCE OF COMPUTER AND NETWORK SECURITY 5 makes it especially difficult for the network administrator to thwart. “Nothing has happened so far. he shrugs his shoulders. or even network configuration data. communication networks might go down. I hadn’t thought about that before. and human operators might make mistakes. The owner thinks for a moment and turns pale. ▲ An attacker who does not work for the company claims to be a temporary employee or contractor.” .

How does SSL protect data? 3. However. There might not always be a clear intent to achieve a particular goal. repudiate) his or her actions. These concepts include the following: ▲ Confidentiality: prevention of unauthorized disclosure of information. SELF-CHECK 1. Operating mistakes are usability issues. correct deployment and operation of technical measures is also part of the overall solution. The legal system has to define the boundaries of acceptable behavior through data protection and computer misuse laws. ▲ Accountability: holding users accountable for their actions. there can be different reasons for such actions.e. responsibility for security within organizations resides ultimately with management and with the users on the network. The root cause of security problems is human nature. . As outlined previously. ▲ Nonrepudiation: the ability to ensure that someone cannot deny (i. in contrast. Users have to cooperate and comply with the security rules laid down in their organization.2 Underlying Computer and Network Security Concepts In this section.. Accidental failures are reliability issues. Security practitioners know that security is a “people problem” that cannot be solved by technology alone. ▲ Availability: prevention of unauthorized withholding of information or resources. they are not classified as security issues. What makes a social engineering attack difficult to mitigate? 1. but there is at some stage a decision by a person to do something he or she is not supposed to do. Of course. 2. Managers must enforce the company’s security policies. List three attacker motivations. we examine some key concepts underlying computer and network security. with intentional failures.6 COMPUTER AND NETWORK SECURITY PRINCIPLES as these failures cannot be directly attributed to some deliberate human action. ▲ Integrity: prevention of unauthorized modification of information. Security is concerned.

2. Whenever data leaves a company’s site. developed by the United States Department of Defense) defines integrity in just this way: as the state that exists when computerized data is the same as that in the source documents and that has not been exposed to accidental or malicious alteration or destruction. To see why one might take this extra step. In general. and in the context of computer security. such as a USB drive. you will also face the question of whether you only want to hide the content of a document from unauthorized view. From a systematic point of view. secrecy) captures this aspect of computer security. 1. many people still feel that the main objective of computer security is to stop unauthorized users from learning sensitive information. an observer could derive useful information about the relationship between the corresponding parties. There have been several recent incidents involving missing laptops that store confidential data. additional qualifications like “being authorized to do what one does” or “following the correct procedures” have also been included under the term integrity.1 Confidentiality Historically. Another consideration is ensuring the confidentiality of data stored on laptop computers or removable devices. an unauthorized observer might simply look at who is talking to whom how often. However. This very issue has been debated recently in the United States Senate with regard to whether phone companies should be required to provide records of telephone calls to the government and what restrictions apply. integrity is about making sure that everything is as it is supposed to be. it becomes vulnerable. are not permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted. The Orange Book (or Trusted Computer System Evaluation Criteria. the prevention of unauthorized modification of information. You need to consider the confidentiality of data both when it is stored on a computer and when it is being transmitted across the network. but not at the content of the messages passed. . Even so. consider traffic analysis in a communications system. Confidentiality (privacy. integrity is better defined in terms of the state of the system.2.2 Integrity It is quite difficult to give a concise definition of integrity. security and secrecy were closely related. The terms privacy and secrecy are sometimes used to distinguish between the protection of personal data (privacy) and the protection of data belonging to an organization (secrecy).1. If the contents of messages are hidden.2 UNDERLYING COMPUTER AND NETWORK SECURITY CONCEPTS 7 1. even if authorized. As you examine confidentiality issues. So far we have defined security by specifying the user actions that have to be controlled. so that users of a system. or also its existence. Even today.

we want to prevent denial of service. Integrity is also an issue when data is transmitted across a network. it is impossible to guarantee this property merely by mechanisms internal to the computer system. In this definition. However. This type of attack is known as a man-in-the-middle attack.3 Availability Availability is very much a concern beyond the traditional boundaries of computer security. 1. Integrity is often a prerequisite for other security properties. we have to protect the integrity of the operating system and the integrity of access control data structures to achieve confidentiality. we want to ensure that a malicious attacker cannot prevent legitimate users from having reasonable access to their systems. an attacker could try to circumvent confidentiality controls by modifying the operating system or an access control table referenced by the operating system. while this state is highly desirable. That is. An attacker could intercept and modify packets of data on the network if that data’s integrity is not protected (see Figure 1-2).8 COMPUTER AND NETWORK SECURITY PRINCIPLES Figure 1-2 Computer $500 $5000 Attacker intercepts packet and changes the amount Server Man-in-the-middle attack. . data integrity is a synonym for external consistency. Hence. In the context of security. For example. The data stored in a computer system should correctly reflect some reality outside the computer system. Engineering techniques used to improve availability often come from other areas like fault-tolerant computing (a computer system or systems that can tolerate the failure of a component).2.

integrity. a smurf attack. A denial-of-service attack can also be launched against network resources. Figure 1-3 shows one of the first denial-of-service attacks. A smurf attack requires the attacker to spoof (pretend to be someone you are not) the identity of the victim. a denial-of-service attack was launched against the domain name system root servers on the Internet.2. In a smurf attack. the attack did not disrupt Internet traffic. but there is a distinct lack of security mechanisms for handling this problem. The echo request will be distributed to all nodes in that network. Each node will reply back to the spoofed sender address. For example. in February 2007.1. availability might be the most important aspect of computer and network security. You have to accept the fact that you will never be able to prevent all improper actions. First.4 Accountability Confidentiality. Fortunately. In many situations. you might find that even authorized actions can lead to a security violation. security mechanisms that are too restrictive or too expensive can themselves lead to denial of service. the attacker sends an Internet Control Messaging Protocol (ICMP) echo request to the broadcast address of some network with a spoofed sender address (the victim’s address). . The amplification provided by the broadcast address works to the attacker’s advantage.2 UNDERLYING COMPUTER AND NETWORK SECURITY CONCEPTS 9 Figure 1-3 attacker echo request replies victim C A B D A denial-of-service attack (smurf attack). 1. Designers of security protocols now often try to avoid imbalances in workload that would allow a malicious party to overload its victim at little cost to itself. As a matter of fact. and availability all deal with different aspects of access control and put their emphasis on the prevention of unwelcome events. There have now been a number of incidents of flooding attacks on the Internet where an attacker effectively disabled a server by overwhelming it with connection requests. flooding the victim with reply packets.

Typical nonrepudiation services in communications security are nonrepudiation of origin. If it cannot be accessed during business hours. For example. . A physical example of nonrepudiation is sending a letter with a return receipt requested.10 COMPUTER AND NETWORK SECURITY PRINCIPLES Second. FOR EXAMPLE Identifying Security Concerns In speaking with your manager and several other employees at your new company. It has to keep an audit trail of security-relevant events. you might find a flaw in your security system that allows an attacker to find a way past your controls. Of course. Therefore. some with integrity requirements. and nonrepudiation of delivery.2. providing evidence about the sender of a document. Suppose the person who signs for the letter forges the name of the addressee. When you do so. and some with both. This raises a potential weakness in nonrepudiation. This is an example of nonrepudiation of origin. This definition is meaningful when analyzing the security services that cryptographic mechanisms can provide. An example of nonrepudiation on a network is digital signature. This means that the delivery can be repudiated (denied) by the actual addressee. You also identify a few resources with availability requirements during business hours. If a security violation has occurred.5 Nonrepudiation Nonrepudiation provides undeniable evidence that a specific action occurred. a person must sign for the letter. These documents are listed in Table 1-1. salespeople will not be able to check inventory or place customer orders. This is an example of nonrepudiation of delivery because you can prove that the letter was delivered. A digital signature allows a recipient to verify that the letter was actually sent by a sender. the person who signs for the letter might not be the person to whom the letter was addressed. information from the audit trail could help to identify the perpetrator and the steps that were taken to compromise the system. one computer in the Sales department stores the “InventoryAndOrders” database. the system has to identify and authenticate users. you might add a new security requirement to your list: users should be held responsible for their actions (accountability). providing evidence about the fact that a message was delivered to a specific recipient. you identify some documents with confidentiality requirements. To provide accountability. 1.

▲ During the development of new products or systems—for example. This section gives a brief overview of risk analysis for Information Technology (IT) security.3 THREATS AND COUNTERMEASURES 11 Table 1-1: Confidentiality and Integrity Requirements Data Payroll records Product design specifications Health insurance claims Customer lists Accounts receivable records Sales records Employee Reviews x Confidentiality x x x x x x x Integrity x x SELF-CHECK 1. 1. The process of identifying a risk and assessing its likelihood and impact is known as risk analysis. ▲ Specifically for the IT infrastructure of an enterprise. this will further depend on the security configuration of the system under attack. In turn. This likelihood will depend on the attacker’s motivation and on how easy it is to mount the attack. Explain how availability is a security concern. . risk analysis is applied ▲ Comprehensively for all information assets of an enterprise. 2. Compare confidentiality and integrity. in the area of software security. Include areas where they overlap.1.3 Threats and Countermeasures Risk is the possibility that some incident or attack will cause damage to an organization’s network. Many areas of engineering and business have developed their own disciplines and terminology for risk analysis. Within IT security. To assess the risk posed by the attack you have to evaluate the amount of potential damage and the likelihood that the attack will occur. An attack consists of a sequence of actions that attempts to exploit weak points in an organization’s practices or its network configuration.

Identification of assets should be a relatively straightforward. Valuation of assets is more of a challenge. In an IT system. and threats. Even when equipment is lost or stolen you have to consider the value of the data stored on it. such as hardware. mobile phones. desktops. Reputation can affect how likely a person is to place an order with you or provide you with information. ▲ Data and information: essential data for running and planning your business.3. In an IT system. database management systems. the following are typical vulnerabilities: ▲ Accounts with system privileges where the default password. ask yourself how long your business could survive when a given asset has been damaged: a day. Vulnerabilities. If your business plans are leaked to the competition or private information about your customers is leaked to the public you have to account for indirect losses due to lost business opportunities and damage to reputation. data belonging to your customers (like credit card numbers). such as ‘MANAGER’. and so on. Let’s take a look at each of these elements. Assets First. source code. digital content. design documents. servers. assets include the following: ▲ Hardware: laptops. ▲ Reputation: the opinion held by your customers and the general public about your organization. vulnerabilities. object code.1 Assessing Assets. and likelihood of occurrence (threats). PDAs. and to rank them according to their value (assets). has not been changed. a week. can be valued according to their monetary replacement costs. such as data and information. . assets have to be identified and valued. impact on the business if they are exploited (vulnerabilities). and the value of the services that were running on it. For other assets. and so forth.12 COMPUTER AND NETWORK SECURITY PRINCIPLES 1. routers. and Threats to Calculate Risk The first step in risk analysis is to identify assets. ▲ Software: applications. The competition might underbid you and your customers might desert you. and so on. As a good metric for value. assets can be valued according to their importance. systematic exercise. a month? Vulnerabilities Vulnerabilities are weaknesses of a system that could be accidentally or intentionally exploited to damage assets. In such situations. Some assets. data about your customers. operating systems. valuation is more difficult. smart cards.

▲ Denial of service (DoS): DoS attacks can make websites temporarily unavailable. There are various ways to identify threats. there have been stories in the press that businesses use such attacks to harm competitors. granting everyone full control to a shared folder. ▲ Weak firewall configurations that allow access to vulnerable services. for example. as do security advisories of software companies.1.3 THREATS AND COUNTERMEASURES 13 ▲ Programs with unnecessary privileges. Threats Threats are actions by adversaries who try to exploit vulnerabilities in order to damage assets. ▲ Tampering with data: Security settings are changed to give the attacker more privileges. Vulnerabilities can be rated according to their impact (level of criticality). For example. . your organization might face penalties if it does not properly protect information (e.. You can categorize threats by the damage done to assets. A vulnerability that allows an attacker to take over an administrator account is more critical than a vulnerability that gives access to an unprivileged user account. Organizations like the SANS Institute or the Computer Emergency Response Team (CERT) provide this information. ▲ Spoofing identities: The attacker pretends to be somebody else. ▲ Repudiation: A user denies having performed an action like mounting an attack or making a purchase.. ▲ Weak access control settings on resources. Microsoft’s STRIDE threat model for software security lists the following categories. However. Vulnerability scanners (also called risk analysis tools) provide a systematic and automated way of identifying vulnerabilities. ▲ Elevation of privilege: The term elevation of privilege refers to a user who gains more privileges on a computer system than he or she is entitled to. ▲ Programs with known flaws. A vulnerability that allows an attacker to completely impersonate a user is more critical than a vulnerability that allows a user to be impersonated only in the context of a single specific service. One vulnerability scanner provided by Microsoft® is the Microsoft Baseline Security Analyzer (MBSA). personal information about individuals).g. ▲ Information disclosure: Information might lose its value if it is disclosed to the wrong parties (e. trade secrets). Some vulnerability scanners give a rating for the vulnerabilities they detect.g. their knowledge base of known vulnerabilities has to be kept up to date.

numbers. Is the adversary a member of your organization or an outsider. Subgoals can be broken into further subgoals. The attacker can also spy on the victim in person (so-called shoulder surfing). An attack might start with innocuous steps. The root of an attack tree is a generic attack. such as gathering information needed to move on to gain privileges on one computer. For offline guessing. a forest of attack trees can be constructed. To reach an AND node. or direct a microphone at the keyboard to distinguish the keys pressed by sound. like the sample in Figure 1-4. a contractor or a former member? Does the adversary have direct access to your systems or is the attack launched remotely? You can also analyze in detail how an attack is executed. direct a camera at the keyboard to see the keys typed. To reach an OR-node. it is enough if one subgoal is achieved. There are AND nodes and OR nodes. and symbols until a match is found.14 COMPUTER AND NETWORK SECURITY PRINCIPLES Figure 1-4 get password guess password ask operator spy password guess on-line guess off-line in person camera microphone get encrypted password dictionary attack Attack tree for obtaining another user’s password. You can also categorize threats by the source of the attacks. The nodes in the tree are subgoals that must be achieved for the attack to succeed. all subgoals have to be achieved. and then might progress with more alarming steps such as jumping to another computer. A dictionary attack is one in which all the words in the dictionary are tried until a match is found. by tricking an operator to reveal it.” A password can be obtained by guessing. One way to do this is to draw an attack tree (a hierarchical diagram that illustrates how an attack might occur). To get a more complete picture of potential threats. A brute force attack is one in which software tries different combinations of letters. Figure 1-4 gives a basic attack tree for the attack “get password. and so on until the final target is reached. or by spying on the user. the attacker needs the encrypted password and has to perform a dictionary attack or a brute force attack. . Guessing can occur online or offline.

There are areas of risk analysis where quantitative methods work. In quantitative risk analysis.2 Calculating Risk Having rated the value of assets. the critical nature of possible vulnerabilities. the likelihood that it will succeed or some other aspect of interest. expected losses are computed based on monetary values for the assets and probabilities for the likelihood of threats.3 THREATS AND COUNTERMEASURES 15 It is possible to assign values to the various strategies represented in an attack tree (e.g. . From these values. and when to adjust your preconceived opinion of the severity of a threat. and those individual valuations can be adjusted to more plausible values. These values can indicate the estimated cost of an attack.1. In qualitative risk analysis. Threat assessments become reproducible as the overall assessment of a threat can be traced to the individual assessments of subgoals. on the motivation of the attacker. but also has the considerable drawback that the ratings obtained are often based on educated guesses. The quality of the results obtained cannot be better than the quality of the inputs provided. mathematical values are used—for example. In quantitative risk analysis. vulnerabilities. Note that the construction of attack trees is more an art than a science. the expected loss can be calculated. Attack trees are thus a formalized and structured method for analyzing threats. Attack scripts automate attacks. This method has the benefit of being based on a well-established mathematical theory. You also need experience to know when to stop breaking up subgoals into ever more subgoals. dictionary attack. You need experience to know when to readjust your ratings for subgoals. making it easy to launch the attack. ask operator). values are assigned to assets. you now face the task of actually calculating risk. a phenomenon known in the trade as analysis paralysis. such attacks would be rated more likely than an individual handcrafted attack. the likelihood that it will occur. As a result. They are also likely to be available to a larger set of attackers. risk is calculated based on rules that capture the consolidated advice of security experts and that do not necessarily have a mathematical underpinning. 1.. and the likelihood of threats. If the final result appears implausible. Threats can be rated according to their likelihood.3. and on the number of potential attackers. but more often the lack of precision in the inputs does not justify a mathematical treatment. and threats. You can calculate risk as follows: Risk = Assets ϫ Vulnerabilities ϫ Threats In the process of risk analysis. the tree can be consulted to see which subgoals were most critical for the final result. or the attack most likely to succeed can be computed. the cheapest attack. by assigning monetary values to assets and probabilities to threats. the most likely attack. The likelihood depends on the difficulty of the attack.

Conducting a risk analysis for a larger organization will take time. together with recommended countermeasures to mitigate (reduce the likelihood or impact of) risk. attacks that are easy to reproduce are a greater risk than attacks that only work in specific circumstances. Moreover. A finer method of scaling could be provided for each variable. ▲ Threats can be rated on a scale of very likely–likely–unlikely–very unlikely.3. the costs of a full risk analysis might be difficult to justify to management. However.3 Countermeasures—Risk Mitigation The result of a risk analysis is a prioritized list of threats. Risk analysis tools usually come with a knowledge base of countermeasures for the threats they can identify. by the time the results of the analysis are presented. Whatever scheme is used. as discussed below: ▲ Damage potential: relates to the values of the assets being affected. ▲ Exploitability: relates to the effort. If you don’t know you’ve been attacked. expertise. that is. The mapping of the ratings for assets. ▲ Discoverability: When will the attack be detected? In the most damaging case. numerical values from 1 to 10. and threats to risks is often given by a table drawn up to reflect the judgment of security experts.16 COMPUTER AND NETWORK SECURITY PRINCIPLES In qualitative risk analysis. then you don’t know to take steps to recover. and resources required to launch an attack. ▲ Reproducibility: one aspect of how difficult it is to launch an attack. 1. It might seem as if one should first go through a risk analysis before deciding on which security measures to implement. ▲ Criticality of vulnerabilities can be rated on a scale of has to be fixed immediately–has to be fixed soon–should be fixed–fix if convenient. you will never know that your system has been compromised. guidance has to be given on how to assign ratings. the following principles are used: ▲ Assets can be rated on a scale of critical–very important–important–not important. The DREAD methodology that complements STRIDE serves as an example of a scheme for qualitative risk analysis. So. another important contributing factor to damage potential. ▲ Affected users: for software vendors. they are already somewhat out-of-date. vulnerabilities. there are two reasons why this ideal approach might not work. . but the IT system in the organization and the world around it will keep changing.

1. You identify the threats and rate them according to their likelihood. A partial list is shown in Table 1-4. This doesn’t mean that the operating system does not have vulnerabilities.3 THREATS AND COUNTERMEASURES 17 For these reasons. let’s take the threat of the denial-of-service attack against the server with the “InventoryAndOrders” database and walk through calculating its risk. which has a value of Medium. One of the best-known IT security baseline documents is maintained by the German Information Security Agency. The asset involved is the “InventoryAndOrders” database. it means that known vulnerabilities are closed when the software is installed with default settings. Another trend embraced by operating system manufacturers. you take a more formal approach to your investigation. It also installs with Windows Firewall and is enabled by default. ActiveX controls. An example of this is the requirement to provide a password for the Administrator account when you install Windows® Server 2003. the threat of a denial-of-service attack against this server is also assigned the likelihood of Medium. organizations might opt for baseline protection as an alternative. or other dynamic content cannot be downloaded through a web browser. Another example is that Windows Vista™ includes Windows Defender. Therefore. You identify your company’s assets and assign them values. Instead. Finally. as shown in Table 1-2. 5 for Medium. including Microsoft is to make their software secure by default. This approach analyzes the security requirements for typical cases and recommends security measures deemed adequate. FOR EXAMPLE Performing a Risk Analysis After identifying some of your organizations documents at risk (see previous For Example Box). Another example is the browser security settings configured by default in Windows Server 2003. and 10 for High. You identify the vulnerabilities and rate them on how critical they are. which is assigned a criticality of Medium. an application that protects against spyware. You decide to use qualitative risk analysis to determine where the highest risks to the company lie. the risk of a denial of service attack against the “InventoryAndOrders” database due to unpatched software is 5 ϫ 5 ϫ 5 ϭ 125 (Continued) . For an example. shown in Table 1-3. a default installation will ensure that cookies. Although you will most likely need to relax those settings at some point. and popups. We’ll assign a value of 1 for Low. A vulnerability affecting the server that could cause a denialof-service attack is unpatched software. adware.

The asset of payroll records is assigned the value of Medium. If the vulnerability that is exploited to launch this attack is weak passwords. Therefore. the criticality value was rated at Medium. These are common best practices and are a suitable start for a baseline security plan. the risk of this attack occurring is calculated as 5 ϫ 5 ϫ 10 ϭ 250 However. so we’ll assign it a value of 10. Table 1-2: Assets and Values Asset Payroll records Product design specifications Health insurance claims Customer lists Accounts receivable records Sales records Employee reviews “InventoryAndOrder” database Value Medium High High High Medium Low Low Medium . or 5. You assessed the impact of this vulnerability as High. the risk of the attack occurring due to the lack of a firewall is calculated as 5 ϫ 10 ϫ 5 ϭ 250 Let’s look at another example. or 10.18 COMPUTER AND NETWORK SECURITY PRINCIPLES Another vulnerability that can be exploited to launch a denial-of-service attack against the “InventoryAndOrders” database is the lack of a firewall. Your baseline strategy will also include a firewall on the computer that shares the Internet connection and virus protection on all computers. which you have assigned an impact of High (10). You ranked the likelihood of an employee reading or modifying payroll information as high. giving it a threat value of High. if the vulnerability exploited is password sharing. the risk is 5 ϫ 10 ϫ 10 ϭ 500 You determine that converting the network to use centralized security and establishing password policies can mitigate the worst security threats. Therefore. or 5.

2.1. .3 THREATS AND COUNTERMEASURES 19 Table 1-3: Vulnerabilities Vulnerabilities Unpatched software Internet connection with no firewall Antivirus protection missing or not updated Weak passwords Common password sharing Employees make decisions about who has access Criticality Medium High High Medium High High Table 1-4: Threats Threats A denial-of-service attack against the server with the “InventoryAndOrders” database A denial-of-service attack against the payroll server Internal employee reading or modifying payroll data without authorization Internal employee accessing employee review records Internal employee selling customer lists External person obtaining customer lists or product designs Likelihood Medium Low High Medium Medium Medium SELF-CHECK 1. Explain why qualitative risk analysis is often more appropriate than quantitative risk analysis. Describe the three domains that should be considered when calculating risk.

both organizational and those that can be enforced through a computer configuration. It is up to a network administrator to enforce the company’s security policy without impacting. The first step in enforcing policies is to define the policies that will be enforced. Access to the server room is granted by swiping an employee’s identification badge on the access pad by the server room door. and since the server operators are busy with projects of their own. But being overly strict about this can cause employees to circumvent the policy to do their jobs. locks up and needs to be physically rebooted.4. we’ll discuss security policies. At the same time.20 COMPUTER AND NETWORK SECURITY PRINCIPLES 1. This clearly opens the security room to a physical breech of security. usability or the ability of the users to perform their jobs. It should identify assets that need to be secured. any more than necessary. and FOR EXAMPLE Pencils and Server Room Doors A security policy often states that all servers must be in a physically secure server room. .4 Policies and Standards Protecting the assets of an organization is the responsibility of management. Next we’ll take a brief look at the recommendations suggested by the ISO 17799 security standard. they open the door and put a pencil in it so the developers can go back and forth at will without bugging them. The project is being developed on a test server that. due to various test cases. how they will be secured. The problem is that nobody on the development team is allowed into the server room.1 Security Policy A security policy is a document that defines the security goals of the business. but an inflexible and strict security policy that stated only server operators had access to the server room and that all servers must be in the server room opened the door (no pun intended) to this kind of security circumvention in the name of productivity. Assets include sensitive information like product plans. This results in a temptation to flaunt security rules. In this section. customer records or financial data. and the IT infrastructure of the organization. Consider a situation in which a credit card bank has contracted with a consulting company to develop an application. nor are they allowed to keep the server (even though it only contained test data) outside the server room. security measures often restrict people in their working habits and make some activities less convenient. 1. This means that somebody else has to reboot the computer.

Typical examples are regulations for the financial sector or rules for dealing with classified material in government departments. you may need to comply with legal regulations. ISO 17799 is not a technical standard for security products or a set of evaluation criteria for products or systems. from visiting websites that host games. you might restrict users from sharing documents on the network.2 Standards Security management standards that specify certain security measures required to be taken by an organization exist for a number of different types of industries. the major topics in ISO 17799 are as follows: ▲ Establishment of organizational security policy: An enterprise must provide management direction and support on security matters. You need to balance ease of use and user productivity requirements with the need for security. the more likely it is that users will attempt to circumvent it. The policy should also include documentation of server configuration and a process for managing changes to that configuration. Keep in mind that the more stringent a security policy. Security has to be maintained when information services are being outsourced to third parties. Some legal regulations your security policy may need to comply with include the following: ▲ ▲ ▲ ▲ Health Insurance Portability and Accountability Act of 1996 (HIPAA) Federal Information Security Management Act of 2002 (FISMA) National Industrial Security Program Operating Manual (NISPOM) Gramm-Leach-Bliley Act (GLBA) A security policy should also outline an appropriate use policy. Other management standards are best described as codes of best practice for security management. ▲ Organizational security infrastructure: Responsibilities for security within an enterprise have to be properly organized. For example. Reporting structures should facilitate efficient communication and implementation of security decisions.4 POLICIES AND STANDARDS 21 a plan that should be followed if an asset is compromised. . which is a set of rules employees will be expected to follow. The most prominent of these standards is ISO 17799 (ISO stands for International Organization for Standardization). Management has to be able to get an accurate view of the state of security within an enterprise.1. or from installing software on their computers. These factors should also be included in your security policy. Depending on the industry and where the business is located. Instead.4. 1.

etc. Enforced holiday periods can prevent staff from hiding the traces of fraud they are committing. These measures can prevent unauthorized access to sensitive information and theft of equipment. only authorized personnel should have access to server rooms.) protect access to business premises or to sensitive areas (rooms) within a building—for example. Background checks on new hires are a good idea. how does the organization deal with users who have forgotten their passwords?) and IT projects have to be managed with security in mind (who is writing sensitive applications? Who gets access to sensitive data?). IT support has to be conducted securely (for instance. There should be procedures for new employees joining and for employees leaving (such as collecting keys and entry badges and deleting user accounts of employees that leave the company). ▲ Communications and operations management: The day-to-day management of IT systems and of business processes has to ensure that security is maintained. locked doors. ▲ Systems development and maintenance: Security issues should be considered when an IT system is being developed. Larger organizations might want to develop reserve computing facilities in a remote location. Particular attention should be applied to remote access. and how much to spend on protection. backups of important data should be kept in a different building. ▲ Access control: Access control can apply to data. Operational security depends on proper maintenance (for example. Automated security policies define how access control is being enforced. an enterprise has to have a clear picture of its assets and of their value. In some sectors those checks may be required by law. ▲ Business continuity planning: An organization must put measures in place so that it can cope with major failures or disasters. For example. and computers. . ▲ Physical and environmental security: Physical security measures (fences. such as through the Internet or dial-in connections. The likelihood of natural disasters can depend on environmental factors—for example. services. but there might also be privacy laws that restrict which information an employer may seek about its employees. is the area subject to flooding? ▲ Personnel security: An organization’s employees can be a source of insecurity. Organizations must also develop a plan to deal with the unavailability of key staff members.22 COMPUTER AND NETWORK SECURITY PRINCIPLES ▲ Asset classification and control: To know what is worth protecting. patching vulnerable code and updating virus scanners).

The auditing process to determine compliance should be efficient while trying to minimize its interference with business processes. Studies have shown that involving users as stakeholders in the security of their organizations encourages users to voluntarily comply with rules rather than look for work-arounds.3 Informing Users of the Importance of Security It is strongly recommended that you organize and publish security responsibilities in an organization in a way that makes it clear that security measures have the full support of senior management. Developers should also be alert to the fact that certain categories of sensitive data (e. again applying best practices. regulatory. A brief policy document signed by the chief executive that lays down the ground rules can serve as a starting point. ▲ What is expected of each member. Then. Not every member has to become a security expert. ▲ Best practices they should follow. 1.. as well as with standards and their own organizational security policy. so that they can highlight the need for protection even if they do not implement the protection mechanisms themselves. personal data) have to be processed according to specific rules and regulations. Achieving compliance with ISO 17799 can be quite an onerous task.1.g. The current state of your organization vis-à-vis the standard has to be established and any shortcomings identified have to be addressed. and contractual obligations. only this time ensuring compliance with the standard. Organizations developing IT services or products have the additional task of providing security training for their developers. Trying to force users to follow rules they regard as arbitrary is not an efficient approach. There is rarely a clear dividing line between the security-relevant components and the rest of a system. .4 POLICIES AND STANDARDS 23 ▲ Compliance: Organizations have to comply with legal. It thus helps if developers in general are aware of the environment that a service will be deployed in and of the expected dangers.4. Finally. This document should be part of everyone’s employment handbook. security awareness programs should be organized. There are software tools that partially automate this process. but all members should know the following: ▲ Why security is important for themselves and for the organization. developers should keep up-to-date with known coding vulnerabilities.

you learned the importance of security policies. But others. You also learned what is required for ISO 17799 compliance. KEY TERMS Accountability Analysis paralysis Appropriate use policy Attack script Attack tree Availability .24 COMPUTER AND NETWORK SECURITY PRINCIPLES FOR EXAMPLE Defining a Security Policy You meet with the owner of the company to plan how you will implement the security requirements you identified. such as users not sharing passwords with other employees or with people outside the company. You learned why network security is important. such as requiring that users change their passwords periodically. You stress to him the importance of his support when presenting security guidelines to the other employees. and likelihood. You were introduced to the three key aspects of security: confidentiality. are more difficult to enforce. and threats. You recommend that he create a written security policy and that each employee read and sign it. Finally. You suggest that the company sponsor a security awareness day in which employees receive training about the importance of security and the best practices for protecting company assets. can be enforced through software policies. and availability. integrity. Describe the components that should be included in a security policy. It is these policies that require user training. You learned that risk analysis involves identifying the assets. criticality. You explain that some policies. and assessing their importance. Describe the purpose of ISO 17799. Next you learned about risk analysis. SUMMARY In this chapter you were introduced to a number of concepts and terms related to computer and network security. SELF-CHECK 1. 2. vulnerabilities.

KEY TERMS 25 Brute force attack Computer security Confidentiality Data integrity Denial-of-service attack Dictionary attack DREAD methodology Elevation of privilege External consistency Fault-tolerant computing Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol over SSL (HTTPS) Identity theft Integrity ISO 17799 Man-in-the-middle attack Mitigate Network security Nonrepudiation Nonrepudiation of delivery Nonrepudiation of origin Privacy Qualitative risk analysis Quantitative risk analysis Repudiated Risk Risk analysis Risk analysis tool Script kiddies Secrecy Secure by default Security policy Shoulder surfing Smurf attack Social engineering Spoof STRIDE threat model Threat TLS Vulnerability Vulnerability scanner Written security policy .

26 COMPUTER AND NETWORK SECURITY PRINCIPLES ASSESS YOUR UNDERSTANDING Go to www. Which of the following is not included in the STRIDE threat model? (a) Storm damage (b) Repudiation . True or false? 7. A vulnerability scanner can be used to identify vulnerabilities and rate how critical they are. Which of the following assets is most difficult to associate with a mathematical value? (a) Laptop computer (b) Database server (c) Reputation (d) Web server availability 6. An attack in which a person calls on the phone and pretends to be a member of the IT department to obtain a user’s password is known as which of the following? (a) Attack script (b) Brute force attack (c) Dictionary attack (d) Social engineering attack 2. Summary Questions 1. True or false? 5. Measure your learning by comparing pre-test and post-test to evaluate your knowledge of computer and network security fundamentals. Qualitative risk analysis considers the likelihood of threats. Which aspect of security is concerned with preventing the unauthorized modification of information? (a) Authorization (b) Confidentiality (c) Integrity (d) Nonrepudiation 3. Which aspect of security is threatened by a smurf attack? (a) Availability (b) Accountability (c) Integrity (d) Confidentiality 4.wiley. but not the value of assets.

(b) Contractors must be given security training before they begin work. (e) How can an organizational policy reduce or eliminate the risk identified in question 1(d)? (f) You identify assets and assign a rating between 1 and 10 based on how long the business could operate if the asset was compromised. What type of risk analysis are you performing? 2. (a) What type of threat is most likely to compromise the availability of the domain controller? Explain why. 9. (c) How can you identify and rate vulnerabilities on the network? (d) A password policy that requires a new password every 30 days is applied throughout the domain. 11.APPLYING THIS CHAPTER 27 8. (c) The “Orders” database must be backed up hourly. (c) Denial of service (d) Elevation of privilege When building an attack tree. (b) What type of threat is most likely to compromise the confidentiality of the company’s data? Explain why. What effect will this have on social engineering attacks? Discuss the pros and cons. Assign the policies listed below to the appropriate topic. True or false? Which of the following would not be enforceable by an automated security policy? (a) Firewall settings (b) Password disclosure practices (c) Password length restrictions (d) Access control restrictions ISO 17799 provides the technical standards by which an operating system should enforce security. The major topics of ISO 17799 are listed in Table 1-5. The network is connected to the Internet through a firewall. . You are performing a risk analysis of an existing network. (a) Each employee must swipe his or her own card to be allowed through the front door. One server has a modem and allows remote access to the network by dial-in users. 10. True or false? Applying This Chapter 1. the generic attack is placed at the root. True or false? The DREAD methodology is an example scheme for quantitative risk analysis. The network is an Active Directory domain with 200 client computers.

(h) At the end of each day. and federal privacy laws. (i) Security decisions will be made by a committee composed of one designated participant from each department and the Chief Executive Officer. (f) All client computers should be updated with a security patch within three days of the patch being made available. (j) The company will comply with local. (g) A hard drive must be reformatted before it is sent for service. the “Accounting” database backup must be taken to a safety deposit box. (e) Employees can access the company network remotely only if they have been assigned permission by a supervisor.28 COMPUTER AND NETWORK SECURITY PRINCIPLES (d) A person who has been terminated must be escorted out of the building by a member of human resources. state. Table 1-5 Assigning Policies to the Appropriate ISO 17799 Topic Establishing organizational security policy Organizational security infrastructure Asset classification and control Physical and environmental security Personnel security Communications and operations management Access control Systems development and maintenance Business continuity planning Compliance .

Identify four assets and rate them in terms of their value. and how your system is connected to any networks.YOU TRY IT Analyzing the Risks in Your Own Environment A good place to start practicing risk analysis is by analyzing the risks associated with your own computer and the environment in which it is operating. where 4 is Very Important. Will you use an automated security policy? How do these mitigation efforts relate to the ISO 17799 categories? 29 . whether your operating system is kept up-to-date. whether your system is running a firewall. Use a 4-point scale. 3. Identify the three most likely risks and describe how you can change your configuration or your security practices to mitigate them. Rate the vulnerabilities on a 4-point scale. 4. 2. the physical environment (who can actually sit down at your system and log on). where 1 is the most critical. 1. whether you have virus protection. Identify potential threats. Use the STRIDE threat model and identify one potential threat in each category. Identify any vulnerabilities. including the Internet. Use the DREAD threat model to assign a value. Consider the strength of your password.

2 NETWORK AND SERVER SECURITY Starting Point Go to www. You’ll Be Able To ▲ Identify the role of each layer of the OSI model and describe how each relates to security ▲ Identify the purpose of key TCP/IP protocols and the layers at which they operate ▲ Describe the role of ports and their impact on security ▲ Describe how the defense-in-depth strategy is applied to network security ▲ List the steps to take to physically secure a server ▲ Identify and disable unnecessary services and limit the permissions of necessary services ▲ Describe how port scanners can be used to compromise a network ▲ Identify the risks associated with input and output devices on a server ▲ Describe the role of border security ▲ Distinguish between packet filtering. and private networks Network segments Firewalls After Studying This Chapter. Determine where you need to concentrate your to assess your knowledge of server security and network borders. semiprivate. stateful packet filtering. and application proxy firewalls .wiley. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Layers of the OSI model Layers of the TCP/IP model TCP/IP protocols and ports Security by design Defense-in-depth How to physically secure a server How to limit the attack surface Public.

2. This decomposition is known as a layered architecture. the chapter examines border security and discusses three types of firewalls and how they can be used to protect a network segment. the chapter looks at some best practices for securing servers on your network.1.1 Network Protocols Review To be able to identify and lessen the risk of a data confidentiality or integrity violation during a network data transfer. This stack of layers is called the network stack (see Figure 2-1). individual layers. you must first understand how data is transmitted on a network. 2. The protocols and standards supported in each of the layers perform specific functions and attach information to the data as it passes through a particular layer. At the receiving computer. Servers can store vital data.1 Understanding Protocols The word protocol has a number of definitions. the process is reversed and the successive layers of information are stripped as the packet travels through the stack up to the highest layer. manage core business processes. Each protocol detaches and examines only the data that was attached by its protocol counterpart at the transmitting computer. This process is called data encapsulation. Servers are also a primary target for attacks. The protocol defines the message format and the rules for exchanging the messages. The chapter begins with a review of the layers in the networking stack and the TCP/IP protocol. a protocol is a formal set of rules that describe how computers transmit data and communicate across a network. and provide customers with information and services. and terminate communications among computers on a network. Because of the complexity and multiple functions required to initiate. conduct. 2. these functions are divided into manageable. In a layered architecture. In the area of computer communications. establish. Next. the protocols are arranged in a stack of layers in which data is passed from the highest layer to the lowest layer to send a transmission. Finally. In this chapter. you will learn how to reduce the attack surface for servers and create a segmented network that protects your key resources from attack. based on the context of its use.1 NETWORK PROTOCOLS REVIEW 31 INTRODUCTION Businesses depend on servers for a number of reasons. It is also essential to understand the role that firewalls play in a network. .

optical fiber.” Table 2-1 lists the OSI model layers and their general functions. and Physical. The seven layers of the OSI model. The intermediate layers perform additional functions.32 NETWORK AND SERVER SECURITY Figure 2-1 Data Protocol1 Protocol2 Protocol3 Protocol4 Data Data Data Data Protocol1 Protocol2 Protocol3 Protocol4 Data Data Data Data Data Network stack and data encapsulation. 2. The layers in the model range from providing application-oriented processes at the highest level to the generation of electrical or optical signals that are injected into the transmission medium (such as wires. including setting up the communications session. Network. the Application layer. You can easily remember them. The Application Layer Layer 7. are: Application. which provide the basis for communication among computers over networks. in the bottom layer. The OSI reference model includes seven functional layers. Transport. Presentation. Data Link. using the mnemonic phrase “All People Seem To Need Data Processing. It’s helpful to have a general understanding of the OSI reference model when talking about different security protocols and how they function. and detecting errors. explaining their individual functions and the protocols they employ. from highest to lowest. It . is the interface to the user.1. The following sections discuss each of the OSI layers in turn. or the air). The Application layer provides services that deal with the communication portion of an application.2 The Open Systems Interconnect Model The Open Systems Interconnection (OSI) model was developed around 1981 by the International Organization for Standardization (ISO). Session. transferring data.

▲ Domain name system (DNS): a distributed database system that matches host names to Internet Protocol (IP) addresses and vice versa. code conversion. A popular DNS implementation is the Berkeley Internet Name Domain (BIND). ▲ Trivial File Transfer Protocol (TFTP): reduced version of FTP. ▲ Simple Mail Transfer Protocol (SMTP): supports the transmission and reception of email. Protocols associated with the Application layer include the following: ▲ File Transfer Protocol (FTP): provides for authenticated transfer of files between two computers and access to directories. does not provide authentication or accessing of directories. and data formatting Negotiates and establishes a connection with another computer Supports reliable end-to-end delivery of data Performs packet routing across networks Provides error checking and transfer of message frames Defines standards for transmission media. and how data should be sent over the network identifies the desired recipient of the communication and ensures that the recipient is available for a transmission session. SFTP is a client that is similar to FTP and uses Secure . file transfers.2. it cannot execute a remote file as a program. and file servers Provides encryption. ▲ Secure File Transfer Protocol (SFTP): a protocol that is replacing FTP. physical connection to the media. It provides increased security because it includes strong encryption and authentication.1 NETWORK PROTOCOLS REVIEW 33 Table 2-1: ISO OSI Seven-Layer Model Layer Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Layer Name Application layer Presentation layer Session layer Transport layer Network layer Data Link layer Physical layer Function Provides services such as email.

defined as part of the Data Link layer (Layer 2). is so named because it presents information to the Application layer. SSH is a remote administration technology for Unix that provides authentication and encrypted transmission. It is a tool used by network administrators to manage the network and detect problem areas. and so is more secure than its predecessor. Layer 6 performs encryption. and decompression functions. For example. The first three bytes of a MAC address identify the manufacturer. Telnet. multipart message bodies. The remaining three bytes represent the serial number of the device.34 NETWORK AND SERVER SECURITY ▲ ▲ ▲ ▲ Shell (SSH) or SSH-2 (a revised version of SSH) to provide secure file transfer. The Presentation Layer Layer 6. EBCDIC is a legacy character encoding standard originally developed for IBM servers. Multipurpose Internet Mail Extensions (MIME): enables the use of non–US-ASCII textual messages. The secure version of Rlogin is slogin and is used by SSH. A MAC address. The user can perform all functions as if he or she were actually at the remote host. compression. ASCII is an encoding standard used by Unix. Standards associated with Layer 6 include the following: ▲ Moving Picture Experts Group (MPEG): the Moving Picture Experts Group’s standard for the compression and coding of motion video. DOS. decryption. comprises a 6-byte number typically written as six hexadecimal pairs. Simple Network Management Protocol (SNMP): supports the exchange of management information among network devices through a management entity that polls these devices. and Windows® operating systems. this information comes from a BootP server. and non–US-ASCII information in message headers in Internet mail. nontextual messages. . Remote login (Rlogin): a command in UNIX that begins a terminal session between an authorized user and a remote host on a network. BootP: provides a diskless workstation with its IP address based on its Media Access Control (MAC) address. Every network adapter is assigned a unique MAC address by the manufacturer. as well as translates codes such as Extended Binary Coded Decimal Interchange Code (EBCDIC) or American Standard Code for Information Interchange (ASCII). the hexadecimal value 00AA00 would indicate that Intel® is the manufacturer. the Presentation layer.

It sets up communication with other computers. ▲ Transferring data. synchronizes the communications between the transmitting and receiving entities. RPC is useful in setting up distributed. The Session Layer Layer 5. maintains the control and integrity of a communications session. the Transport layer.1 NETWORK PROTOCOLS REVIEW 35 ▲ Joint Photographic Experts Group (JPEG): standard for graphics defined by the Joint Photographic Experts Group. manages the dialog between computers. client-server based applications. The Transport Layer Layer 4. provides services to Layer 4. describes how to make internode connections.2. the Session layer. The Transport layer also reassembles data from higher-layer applications and establishes the logical connection between the sending and receiving hosts on the network. The following are all protocols that operate at the Session layer: ▲ AppleTalk Session Protocol (ASP): used to set up a session between an ASP server application and an ASP workstation application or process. connectionoriented protocol used in communications between hosts in packet- . TIFF is platform independent and was designed for use with printers and scanners. the Transport layer. to support applications. It delineates the addressing of devices on the network. It does not handle vector graphics. ▲ Network File System (NFS): supports the sharing of files among different types of file systems. ▲ Remote procedure call (RPC): supports procedure calls where the called procedure and the calling procedure may be on different systems communicating through a network. and manages the networking of messages. ▲ Releasing the connection. and manages the communication session in general. ▲ Hypertext Transfer Protocol (HTTP): a protocol used for sending web pages and information to other locations on the Internet. Transport layer protocols include the following: ▲ Transmission Control Protocol (TCP): a highly reliable. ▲ Tagged Image File Format (TIFF): a public domain raster file graphics format. The functions of Layer 5 include the following: ▲ Establishing the connection. formats the message data.

or unreliable. The data packets. A connectionoriented protocol guarantees the delivery of packets and that the packets will be delivered in the same order as they were sent. It uses the Internetwork Packet Exchange (IPX) protocol to transmit and receive packets. connection-oriented transport service. ▲ User Datagram Protocol (UDP): a connectionless protocol that transmits packets on a best effort basis. except that it transmits multiple streams of messages instead of a single stream of bytes (TCP can only send a single stream of bytes). it does not guarantee packet delivery. ▲ Stream Control Transmission Protocol (SCTP): a protocol similar to TCP. The Network Layer Layer 3. It performs the following functions: ▲ ▲ ▲ ▲ ▲ Switching and routing Forwarding Addressing Error detection Node traffic control Network layer protocols include the following: ▲ Internet Protocol (IP): provides a best-effort. It does not provide for error correction or for the correct transmission and reception sequencing of packets.36 NETWORK AND SERVER SECURITY switched computer networks or interconnected networks. . in addition to other control data. A computer on the network is assigned a unique IP address. service for connecting computers to form a computer network. it is well suited for streaming video/audio applications. the Network layer. traverse networks through the use of intermediate routers that check the IP address of the destination device and forward the datagrams to other routers until the destination computer is found. The transmitted data packets contain the IP addresses of the sending and receiving computers on the network. or datagrams. Because of its low overhead. sets up logical paths or virtual circuits for transmitting data packets from a source network to a destination network. Routers calculate the optimum path for data packets to reach their destination. There is a large overhead associated with sending packets with TCP because of the tasks it has to perform to ensure reliable communications. ▲ Sequenced Packet Exchange (SPX): a protocol maintained by Novell® that provides a reliable.

Layer 2 also performs flow control. ▲ Reverse Address Resolution Protocol (RARP): a protocol that enables a computer in a local area network (LAN) to determine its IP address based on its MAC address. The ARP protocol functions as a portion of the interface between the OSI network and Data Link layers. The Data Link layer is divided into sublayers: the Media Access layer and the Logical Link layer. ▲ Controls the network computer’s permission to transmit packet data. It is also the layer that implements bridging. Converts data to be sent into bits for transmission.2. It can also be used to perform packet filtering.1 NETWORK PROTOCOLS REVIEW 37 ▲ Open Shortest Path First (OSPF): a shortest-path-first (SPF) routing protocol that selects the least-cost path from a source computer to a destination computer. authentication. which can check if computers on a network can communicate. This updating ensures the RIP routers select the least-cost path to a specified IP address destination. It can verify that routers are properly routing packets to the destination computer. and Physical layer error checking. ▲ Address Resolution Protocol (ARP): a protocol that maps IP network addresses to the hardware MAC addresses used by a data link protocol. A useful ICMP utility is the ping command. . and encryption. protocol management. the data packets are decoded at Layer 2 of the receiving computer. the Data Link layer. Formats the data to be transmitted into frames. The Media Access layer performs the following functions: ▲ Supports the network computer’s access to packet data. Conversely. The Logical Link layer performs the following functions: ▲ ▲ ▲ ▲ Sets up the communication link between entities on a physical channel. ▲ Internet Control Message Protocol (ICMP): a troubleshooting protocol used to identify problems with the successful delivery of packets within an IP network. encodes the data packets to be sent into bits for transmission by the Physical layer. ▲ Routing Information Protocol (RIP): a routing protocol that sends routing update messages to other network routers at regular intervals and when the network topology changes. ▲ IP security (IPsec): a protocol used to ensure data integrity. The Data Link Layer Layer 2. Adds a header to the data that indicates the source and destination IP addresses.

15: wireless personal area network ▲ 802.3u: fast Ethernet ▲ 802. including appropriate cards and cabling. ▲ Controls error checking and frame synchronization. IPX. the Physical layer is also concerned with mechanical issues such as cable connectors and cable length. transmits data bits through the network in the form of light pulses.1: internetworking ▲ 802. and DECnet protocols can operate under PPP.10: LAN security ▲ 802.16: wireless metropolitan area networks .3ae: 10-gigabit Ethernet ▲ 802.7: broadband technology ▲ 802.11: wireless networking ▲ 802.5: token ring ▲ 802. ▲ Point-to-Point Protocol (PPP): a protocol used for transmitting data over point-to-point links.38 NETWORK AND SERVER SECURITY ▲ Defines the network access protocol for data transmission and reception. In addition to electronic interfaces.3z: gigabit Ethernet ▲ 802. such as twisted pair or coaxial cables. IP. It does this by encapsulating the datagrams of other protocols. Data Link layer protocols include the following: ▲ Serial Line Internet Protocol (SLIP): a legacy protocol that defines a sequence of characters that frame IP packets on a serial line. The Physical Layer Layer 1.8: fiber optic technology ▲ 802. Network cards function at Layer 2 of the OSI Model but connect at Layer 1. It is used for point-to-point serial connections running TCP/IP. ▲ Supports Ethernet and token-ring operations. It includes the necessary software and hardware to accomplish this task. PPP was designed as a replacement for SLIP in sending information using synchronous modems. electrical signals. which include the following areas: ▲ 802. or radio waves. This level is addressed in the family of Institute of Electrical and Electronics Engineers (IEEE) 802 LAN/WAN standards.3: Ethernet (Carrier Sense Multiple Access/Collision Detection. the Physical layer. such as dial-up or dedicated serial lines. or CSMA/CD) ▲ 802.9: voice/data integration (IsoENET) ▲ 802.2: logical link control ▲ 802.

Department of Defense (DoD) to develop systems that could communicate in battlefield environments where communication links were likely to be destroyed. and this class representation further delineates which part of the address refers to the network and which part refers to the node. the originating computer resends it.135.1 NETWORK PROTOCOLS REVIEW 39 2. Instead of representing the binary digits as decimal digits. If a packet is not acknowledged. In fact. If an error is detected.S.255. Most current operating systems include support for IPv6 and systems are expected to gradually migrate to the new standard over several years. a network is assigned to a Class from A through E. IPv6 includes additional security features.1. The solution was to send messages in the form of packets that could be routed around broken connections and reassembled at the receiving end. Classes A through C are the commonly used categories.2. although some industry experts feel that it unlikely that IPv4 addresses will ever be fully retired. IPv6 uses a 128-bit addressing scheme. It is usually represented in decimal form as octets of numbers from 0 to 255. The receiving computer then organizes the received packets into their proper order. TCP verifies the correct delivery of data and provides error detection capabilities. TCP and IP are part of a layered protocol model that is similar. . The routing is accomplished through an IP address that is assigned to every computer on the Internet.255 is used to broadcast to all hosts on the local network. including support for built-in authentication and confidentiality. The IP portion of TCP/IP is responsible for sending packets from node to node on the network until the packets reach their final destinations. 255. There are two standards for IP addresses: IPv4 and IPv6. Additionally. An IPv4 IP address is the 4-byte destination IP address that is included in every packet. such as 160. The goal of TCP/IP was to enable different types of computers on different geographical networks to communicate reliably.255.3 The TCP/IP Model The TCP (Transmission Control Protocol) and IP (Internet Protocol) were developed in the 1970s. TCP/IP provides this functionality through programs called sockets used to access the TCP/IP protocol services. so it has more than 79 times as many available addresses as IPv4. but not identical to. prior to ISO’s OSI model. TCP/IP grew out of research by the U. TCP attempts the retransmission of the data until a valid packet is received. In the TCP/IP model. even if portions of the connecting links were disabled. The network classes and their corresponding addresses are given in Table 2-2. An IP address is divided into a portion that identifies a network and another portion that identifies the host or node on a network.226. For example. the OSI model incorporated some of the concepts of the TCP/IP model.192. IPv6 uses 8 sets of 4 hexadecimal digits. This function is based on an acknowledgment that should be sent back to the transmitting computer upon the receipt of delivered packets. the OSI model.

198 Host ϭ 156 Class D Address range ϭ Network address First 8 bits define the network address. 200. the decimal address ranges from 224 to 239. First 16 bits define the network address.168.255 Reserved for multicasting (sending a message to multiple hosts listening on the same IP address).155 Class C Address range ϭ 192.1. The binary address of the first octet always begins with hosts).1 to 223.255.000 networks).156 Network ϭ 200. Example address 110. Binary address of the first octet always starts with 110.212.40 NETWORK AND SERVER SECURITY Table 2-2: IP Address Network Classes Class Class A Address range ϭ 1.110 Host ϭ 226.255.0. 168.255. First 24 bits define the network address.0.1 to 191.254 The remaining 8 bits define the host address (254 addresses).155 Network ϭ 168.156 Network ϭ 110 Host ϭ 160.110. Binary address of the first octet always begins with 1110. .1.0 to 239.226. therefore the decimal address ranges from 192 to 223 (2 million networks).156 Class B Address range ϭ 128. therefore. Host address The remaining 24 bits define the host address (16 million hosts).0.254. The decimal address ranges from 1 to 126 (127 networks).255.255. The binary address of the first octet always begins with 0 (00000001011111111).198.160. 127 is reserved for loopback testing on the local host.0.254 The remaining 16 bits define the host address (65.255. The decimal address ranges from 128 to 191 (16.212.1 to 126.

Presentation.254 Binary address of the first octet always begins with 1111. and Session layers of the OSI model. an application is a process that is above the Transport layer.0.255. and provides for errorfree data delivery. The example protocols listed in Table 2-3 have been discussed under the OSI model. Applications communicate through ports and sockets. supports reliable end-to-end communications.0 to 254. Using POP.255. the Internet layer. the Host-to-Host layer or Transport layer. an email client can retrieve email from a mail server. The latest version of POP is POP3. A security issue with POP3 is that the password used for authentication is transmitted as unencrypted “clear” text. ensures data integrity. Reserved for experimental purposes. which can be used with or without SMTP. POP (Post Office Protocol). performs packet sequencing. therefore the decimal number can be anywhere from 240 to 255. In TCP/IP. Table 2-3 TCP/IP Model Layers Layer Layer 4 Layer Name Application layer Function Equivalent to the Application.0. TCP/IP Model Layers The TCP/IP model has four layers: the Application layer.2. UDP (Continued ) .1 NETWORK PROTOCOLS REVIEW 41 Class E Address range ϭ 240. HTTP. Similar to the OSI Transport layer. These layers and their corresponding functions and protocols are summarized in Table 2-3. FTP Layer 3 Host-toHost or Transport Layer TCP. except for the Post Office Protocol (POP). and the Network Access layer. Protocols or Standards SMTP.

Encapsulation in TCP/IP is illustrated in Figure 2-2. connectors. ICMP Layer 1 Network Access Layer IEEE 802. and cabling. software. Protocols or Standards IP. This process is reversed in the receiving node. . encapsulation occurs as data traverses the layers from the Application layer to the Network Access layer at the transmitting node.3 IEEE 802. and encapsulation of IP datagrams into frames to be transmitted by the network. It is also concerned with communications hardware. These functions include mapping IP address to MAC addresses.11b IEEE 802. RARP. Some definitions of the TCP/IP model do not include the Physical layer in the Network Access Layer definition. ARP. Combines the Data Link layer and the Physical layer functions of the OSI model.11g As with the OSI model. Isolates the upper-layer protocols from the details of the underlying network and manages the connections across the network. Uses protocols that provide for logical transmission of packets over a network and controls communications among hosts. assigns IP addresses to network nodes.42 NETWORK AND SERVER SECURITY Table 2-3 (continued) Layer Layer 2 Layer Name Internet Layer Function Performs the same function as the OSI Network layer. using software drivers. voltage levels.

2. A port is a number that is included in a packet’s header. Ports between 1025 and 65000 can be assigned to custom applications. The recipient computer uses that number to identify the service that should process the packet.4 TCP/IP Ports A TCP/IP protocol. The receiving computer listens for requests on a set of ports. The ports from 0 through 1024 are known as well-known ports because they are associated with a specific service. you Table 2-4: Well-Known Ports Port number 20 and 21 22 23 25 53 80 110 443 Protocol FTP SSH Telnet SMTP DNS HTTP POP3 HTTPS . 2.1. To access this web application. you might configure your web server to listen on port 3295 for a specific intranet application. Some well-known ports are listed in Table 2-4.1 NETWORK PROTOCOLS REVIEW 43 Figure 2-2 Application Layer Data Host-to-Host or Transport Layer Header Data Internet Layer Header Header Data Network Access Layer Header Header Header Data TCP/IP encapsulation. For example. uses a specific port when transmitting data. such as HTTP. You can also configure some services that typically use a well-known port to use a different port.

htm. would append a colon and the port number after the host name in the URL.htm” on a website listening on port 3295 on a web server named “www. as shown in Figure . For to access a webpage named “index. You should not use custom port mappings for Internet applications that need to be accessed by the public because users will not know that they need to append a port number to the server name in the URL.44 NETWORK AND SERVER SECURITY Figure 2-3 “Netstat –a” command.” you would use the URL http://www. You can view a list of ports that are listening on a Windows computer by using the “netstat -a” command line utility.

2 BEST PRACTICES FOR NETWORK SECURITY 45 FOR EXAMPLE Security and the Network Stack One technique used by attackers is to modify headers so that either the source or the destination address is spoofed. Packet sniffing is another technique frequently used by attackers. most servers run applications. SELF-CHECK 1. A lot of data is sent using clear text. 2. Data sent using clear text can be intercepted by packet sniffers or protocol analyzers.2 Best Practices for Network Security Securing network servers is not limited to the server configuration. and a device operating on the same frequency can intercept those waves. 2. Some protocol analyzers operate in promiscuous mode. which means that they can capture all traffic on the network. An attacker might modify the destination address to divert packets from their trusted destination to an untrusted destination. A protocol analyzer allows you to view the headers added to a message. Give an example. One reason to do this is to intercept passwords and other confidential information. Network administrators can also use protocol analyzers when troubleshooting network problems. as well as the data in the message itself. Wireless networks are especially susceptible to sniffing because data is sent as radio waves. In addition. .2. therefore. Describe the role of the network stack in network transmission using TCP/IP. The protocol analyzer included with Windows 2000 Server and Windows Server 2003 is Network Monitor. An attacker might also modify the source address so that the destination computer thinks the packet originated from a trusted source. Describe the purpose of well-known ports. the overall security of the network will impact the security of the server. Servers are a part of the network and. That version of Network Monitor can only capture traffic destined for or originating at the server where it is running. A packet sniffer can be software running on a network node or a hardware device that is tapped into the network media.

▲ In the highly competitive marketplace for software. it is essential to keep server applications up-to-date with any security patches for known vulnerabilities. why then is it still difficult for security to become part of the requirements in most software development efforts? Some of the factors affecting security in the design phase of a development effort are as follows: ▲ The software developers and security professionals (network engineers) historically came from different communities. However. Therefore. security for server applications has been an afterthought. ▲ The security threat was not well publicized. the system cannot be made completely secure. and if your company . Security has made the front page more often in recent years. and defense–in-depth. We’ll look at three basic guidelines: designing applications with security in mind. One of the lessons learned from retrofitting is that it is very costly and time consuming to try to put in security after an application and system have been developed and deployed. software developers could not justify time spent on security features. The section will focus on best practices and methodologies instead of the actual implementation. it is still an uphill battle to get security rooted into the initial requirements and design of a development effort. 2. If the cost benefit is so great. ▲ Until recently. only to be considered after threats and vulnerabilities have arisen. there has been a natural rush-to-market approach to beat the competition. In most cases.46 NETWORK AND SERVER SECURITY Therefore. the software developers are building an application that they have never coded before. This is still an issue today. ▲ In many cases. maintaining a security mindset. we’ll look at some general guidelines for securing the servers on your network. Even with the heightened attention to security in today’s world.2. This led to many instances of security features being retrofitted into an operating system or application. it is important that you ask questions about security features when deciding on a server application. because security features did not seem to affect the bottom line from management’s perspective.1 Security by Design In the past. In this section. although more software developers are attending security training and security conferences. a network engineer who designs a network has probably designed dozens of networks in the past. A conservative estimate is that it is 10 times cheaper to build security into a product than to attempt to retrofit the product after deployment.

▲ Stone walls and terraces were placed around the approaches to the top of the hill. will secure the environment. these would be mine fields. In today’s world.2 Maintaining a Security Mindset Having a security mindset is the first step in designing and implementing a strategy for securing your network servers. ▲ A moat was dug around the hilltop. Do not underestimate the interest and determination of the threat. ▲ Sharp sticks pointing toward an approaching attacker were placed on the hillside. . ▲ Respect the adversary. ▲ Vile waste was placed in the moat. If an organization does not have a mindset that values security.2. make sure the development team keeps security in mind during development. The following are some approaches to developing a mindset that will help you secure the servers on your network: ▲ Base security decisions on the risk. The most memorable example is the medieval castle. Many security controls are preferable to a single point of protection.2. Simplicity and clarity will support a more secure environment. ▲ Work on security awareness. Security improvements will come at the cost of time. taken as a whole. including the following: ▲ The chosen site for the castle was on a hilltop.3 Defense-in-Depth The defense-in-depth principle is best thought of as a series of protective measures that. Security training is needed at all levels of an organization. money. It was and always will be easier to defend the top of a hill. ▲ Trees and underbrush were cut from approaches to make it easier to see and to leave clear lines of sight. 2.2 BEST PRACTICES FOR NETWORK SECURITY 47 develops custom server applications. and convenience.2. ▲ Be paranoid and expect the worst. Security can be like insurance. ▲ Keep things simple. sure to discourage the fainthearted from crossing. ▲ Use defense-in-depth. the risk must be known to determine the coverage needed. it will be difficult to implement the needed controls. The king protected his crown jewels (literally) with a series of progressive defenses. 2.

But. The customer has recently purchased firewall software and is feeling confident that his network is secure. “What if the attacker climbed the walls or tunneled through them? What if the attacker works for you and walks in every day through the front door?” you ask. You describe additional controls that should be put in place. and security awareness training. ▲ Rocks and hot oil could be dropped from the outer walls.48 NETWORK AND SERVER SECURITY FOR EXAMPLE Defending a Network from Attack Suppose you are a network consultant.” You explain that it is better to implement security using a defense-indepth strategy. “Let’s look first at what the risks are. Some defenses were easy and cheap to implement (sharp sticks). Two important features to note are as follows: 1. The customer agrees to a risk analysis—the first step to securing his network. such as strong passwords. No one defense of a castle was relied upon for the ultimate protection. “What do you mean? I thought the firewall would keep my network secure. company security policies. “Won’t that be expensive?” the customer asks. The defense-in-depth principle applies to network and server security as well.” you reply. ▲ There was an inner. The classic case of this mistake is when a company spends its entire security budget on a $200. You visit a customer site and talk to the customer about network security. taken as a whole. access control for assets. You suggest the possibility that a firewall might not be sufficient protection and compare it to the stone walls placed around the approach to a medieval castle. All of this investment can then be circumvented by a $30 modem because there was no security awareness program to train users as to the risk of connecting to ISPs directly from their workstations. The customer says. ▲ The outer castle walls were tall and thick. .000 firewall to protect it from the Internet. virus protection. The defenses as a whole were designed to weaken and discourage the attackers. slowing down the attack. Others required significant resources (the outer walls). the defense was much stronger than the simple sum of each protective feature. smaller fortress to which the population could retreat in the event the outer walls were breached. All the security resources should not be concentrated on a single protection.

Limit access to the physical server to an as-needed basis only for all personnel. The following are three important considerations when securing the host system: 1.1 Controlling the Server Configuration Operating the server safely extends beyond the key application being served up. if appropriate. In today’s environment.3 Securing Servers Even the most securely developed server application must be placed in a secure operational environment.3 SECURING SERVERS 49 2. Describe why investing a company’s entire security budget in a single defense is not advisable. Some specific examples related to server security are covered in the next section. SELF-CHECK 1. For example. 2. Physically secure the system in a locked room and hire a guard. continuous monitoring is required to ensure a server remains safe. . ▲ Control users and access: A need-to-know and need-to-access environment should be established regarding the server’s data and access. ▲ Monitoring. A need-to-know environment is one in which users are only given permissions to read the files that store information they need to do their jobs. These procedures should include the following key aspects: ▲ Control the server configuration: The server must be configured to minimize exposure to an attack.3. A need-to-access environment is one in which the only access permissions granted are those users need to do their jobs. To operate the server securely. 2. the use of strong passwords is advised even on internal networks in which all users are trusted. The host platform must also be secured. and logging: Security does not stop with deployment of the server. A protective measure (a security control) is worth implementing even if it seems to be a redundant protection. auditing.2. Periodic backups can mitigate the risk if an attack does occur. an organization must establish a plan with associated procedures.

The following should be provided to ensure the availability of the server: ▲ ▲ ▲ ▲ Provide an uninterruptible power supply (UPS) unit with surge protection. Most server operating systems will have a number of services enabled or on by default. It should be expected that attackers will seek the path of least resistance in an attempt to compromise the server. For this reason.50 NETWORK AND SERVER SECURITY 2. Any access to the space should be recorded for later evaluation should a problem occur. Physical Security of the System Any server is vulnerable to an attacker who has unlimited time and physical access to the server. Inventory should be tightly controlled and monitored. If any one service or server is compromised. In this way. separation of services is a good security practice. any damage done is limited to the one server. and removing unnecessary input and output devices. physical problems could cause the server to have downtime. Separation of services dictates that each major service should be run on its own protected host whenever possible. Provide adequate lighting and work space for maintaining and upgrading the system. Additionally. Provide adequate cooling and ventilation. This is known as limiting the attack surface. servers are natural targets for attack. The physical protections listed here should extend to the network cables and other devices (such as routers) that are critical to the server operation. This would be a loss of availability. Back up the host system to mitigate the risk in the event that an attack does occur. ▲ Restrict physical access to the server. Minimizing Services As discussed earlier. 3. Unauthorized persons should not get near the server. the others are unaffected. Care must be taken to ensure that these extraneous services are disabled or even deleted from the system. Even casual contact can lead to outages. The server space should be locked and alarmed. closing unnecessary ports. The attacker will look to break in through any of the services running on the server. should be used instead. . ▲ SMTP: Mail server applications are frequent targets of attacks. if needed. SSH. Minimize the risk to the host system by removing unneeded services. Provide fire protection to minimize the loss of data and equipment. The following list shows typical services that should be disabled from a host if not needed: ▲ Telnet: The secure alternative.

▲ DNS: This service requires frequent patches and upgrades to be secure. ▲ Systat: Systat is a Unix® troubleshooting tool. However. shown in Figure 2-4. ▲ RPC: Unless the server application explicitly uses RPC to communicate with other systems. A service can be configured to start up manually. For example. or IIS) depends.3 SECURING SERVERS 51 ▲ FTP: FTP is used to upload files to and download files from a central repository. This information can be used by an attacker to locate a door through which to enter the system. Figure 2-5 shows the services on which the World Wide Web Publishing service (the service used by Internet Information Services. this should be disabled. This is important because an attack might replace the legitimate service with one that performs malicious activities. This means that the attacker’s code would be able to access any parts of the computer or network that account is granted permission to access. The information it returns can be used by an attacker to determine whether the system is running processes that include vulnerabilities. ▲ TFTP: TFTP is used to transfer small files and can be used to upload a malicious file to a computer. ▲ Netstat: Netstat is a Windows troubleshooting tool that allows you to see which ports a computer is listening on. start up automatically when the system starts. Another key consideration when managing services is the security context under which the service executes. it can be used to learn information about a computer system that can then be used to launch other attacks. Systat listens on port 11. Therefore. ▲ Finger: Finger allows you to determine the name associated with an email address and the last time the user logged on. you should use an account with the most restrictive permissions that will permit that service to operate. as well as other information about the network. or it can be disabled. Windows 2000 (and later) has three built-in accounts that are typically . you need to be careful not to disable a service on which another necessary service depends. You can view a list of dependencies by examining the Dependencies tab of a service’s Properties dialog box. Managing Windows Services You can disable a Windows service using the Services utility. The attacker’s code would execute under the security context of the account specified as the logon account for that service. ▲ Chargen and Echo: These services can be used to launch data-driven attacks and denial-of-service (DoS) attacks. FTP has a number of vulnerabilities and must be properly configured to be safe. When disabling services.2.

Blocking Ports Another important way to minimize the attack surface on a server is to block traffic to all ports except those the computer needs to perform its job. ▲ Network Service: This account has the same local permissions as Local Service. as shown in Figure 2-6. The three built-in accounts are as follows: ▲ Local System: This account has permission to perform any task on the computer and permission to access resources on the network. You can . In addition. used to run services. but can also access computers across the network. ▲ Local Service: This account has very limited permissions on the computer and cannot access other computers across the network.52 NETWORK AND SERVER SECURITY Figure 2-4 Managing Windows services. you can create a special user account and assign it the necessary rights and permissions. You change the security context for a service through the Log On tab of the service’s properties.

and computer authentication. or blocked. Attackers can use this information to learn about the doorways that are open in a specific server and the attacks to which the server is most vulnerable. protocol. open but not listening.2. The attacker can then attempt an attack based on known vulnerabilities of common web server software. Potential attackers can use port scanners to determine whether a specific port is listening.3 SECURING SERVERS 53 Figure 2-5 Dependencies of the World Wide Web Publishing service. IPSec is a security protocol that allows you to define policies for secure negotiation of traffic based on the source. if the computer’s operating system supports it. A port scanner sends requests to a specific port and records which ports seem to be open. block traffic to a specific port by configuring a firewall or. For example. if a server is listening on port 80. Some exploits are associated with specific well-known ports and the applications that use them. an attacker can assume that the server is running a web server. by configuring an IPSec filter. you should also consider the physical entry points. Limiting Input and Output Devices When evaluating the attack surface of a computer. destination. A physical entry point is any interface that allows .

it becomes vulnerable to attacks through the network interface. it should not be configured to accept incoming calls. input or output. Therefore. ▲ Network adapters: It’s essential to remember that as soon as you attach a computer to a network. ▲ CD-ROM and DVD drives: In many cases you will need to have a CDROM or DVD drive in a server. If a modem needs to be used only for outgoing calls.54 NETWORK AND SERVER SECURITY Figure 2-6 Setting a service’s Log On account. . if only to allow for software installation. you should never place a server on the network until you have applied security patches for known vulnerabilities. Some physical entry points you might consider removing include the following: ▲ Modems: Modems should only be enabled on computers that require remote access using a dial-up network or those that act as remote access servers (servers that provide network access through a dial-up connection) for dial-up clients.

▲ Floppy drives: Many computers today no longer contain floppy drives. you might consider removing the floppy drive from a system that does include one. or server failure. However. you might consider running it as a headless server. however. USB hard disks no larger than a pinkie finger with capacities of 1 GB or more are available and can provide an attacker with an easy way to install a malicious file on the server or steal an entire database of customer information. data is backed up on a daily or weekly basis. A recent high-profile case involved a number of USB drives containing data about a nuclear power facility found during a drug bust. some servers store data that must be backed up more frequently. keep in mind that if a person gains access to the server room. ▲ Monitor: If a server contains critical resources. you need to keep in mind that a headless server must be managed from another system. and sometimes a backup will be your only chance of recovery. natural disaster.3 SECURING SERVERS 55 However. Backups can aid in a post-attack reconstruction. every server and server application should have regularly scheduled backups as part of the normal operation of the server. The compromised system can be compared with the backup to determine which part of the system was attacked. The frequency of the backups should be determined by how critical the data or service is to the business. A floppy drive can allow any person with physical access to copy files to or from a server. However. If the loss of a day’s worth of data cannot be tolerated.2. that person can insert a CD or DVD containing malicious software into the computer. Therefore. System Backups System backups are an important security control to mitigate the risk and damage that can be inflicted by an attack. . The determination should be made based on a risk and business impact analysis. ▲ Universal Serial Bus (USB) ports: USB ports can make a server particularly vulnerable to an attack by a person who obtains physical access. This might also provide insight into the extent of the damage inflicted by the attacker. A failover system is an identical copy of the server and its data that can be used in the event of an attack. Typically. which in itself can pose a security risk because it requires you to open ports necessary for remote management. attacks should still be expected. a zero-down-time failover system is recommended. No matter what steps are taken to prevent an attack. A headless server is one that does not have a monitor and is therefore less susceptible to interactive attacks.

Next. The hospital cannot afford to lose even one day of patient data. Explain why separating services onto separate servers can help mitigate risk. 2. you identify the ports that are required for accessing the server. Identify the advantages and disadvantages of operating a server as a headless server. 3. Windows XP Professional and Windows Server 2003 include Windows Firewall as the personal firewall software. you install an identical server as a failover system using the clustering technology included with Windows Server 2003. You configure those services to run under an account with only the permissions required. Describe the steps you should take to ensure the physical security of a server. Describe the use of a port scanner in launching an attack. A personal firewall is firewall software that runs on a server to limit the traffic that server accepts. The server is running Microsoft® SQL Server. You disable all other services. SELF-CHECK 1. To mitigate the damage if an attack occurs and to ensure availability if the server fails. You block all other ports using a personal firewall. . The hospital database server stores confidential medical records of patients. You also put the server on a UPS. You begin by locking the server in a secure closet. You also need to ensure that the server is available 24/7. You need to minimize the likelihood that data on the server will be obtained or modified by an unauthorized user. Next you determine which Windows services are required for the server to operate.56 NETWORK AND SERVER SECURITY FOR EXAMPLE Securing a Server You are network administrator for a hospital. 4. You ensure that there are locks on the closet and that the only way someone can obtain a key is to sign in with a security administrator.

a semi-private network might carry confidential information . Despite the lack of security. you will most likely identify different network segments with different security requirements. You might also have some servers that should be accessible only by a certain subset of employees. government. In this section we’ll look at some ways you can segment your network. large volumes of unprotected data are transmitted worldwide over public networks because of their convenience and the variety of services they provide. Typically. Others will need to be accessible only by employees. security measures for public access networks are quite limited. Semi-private Networks Semi-private networks sit between public networks and private networks.1 Segmenting a Network Over the past few years. which has created highly unified and global network architectures. These segments can be theoretically classified into the following: ▲ Public networks ▲ Semi-private networks ▲ Private networks The boundaries of such network segments are established by devices capable of regulating and controlling the flow of packets into and out of the segment. From a security standpoint. To implement security for different segments.4 Border Security When designing security for your network. including perimeter networks and firewalls. The Internet is a perfect example of a public network. For example. Yet business. A one-time password is often all that is required to log into publicly available machines and public access networks. some servers will need to be accessible by the public.4 BORDER SECURITY 57 2. including the following: ▲ ▲ ▲ ▲ Routers Switches Bridges Multi-homed gateways Public Networks Public networks allow accessibility to everyone.2. This is known as border security. 2. On public networks there is a huge amount of unsecured data. and military requirements demand segregation of key network segments.4. there has been a heavy integration of network technologies. you will erect borders that can only be crossed by certain types of traffic.

Figure 2-7 shows a comprehensive view of a network protected by perimeter systems (usually firewalls). Private Networks Private networks are organizational networks that handle confidential and proprietary data and are the most common type of network. These include. 2.4. it is a necessity to safeguard their private networks and communication facilities. Normally. file servers. Address translation schemes and various tunneling protocols can be used to allow incompatible private and public networks to interoperate. You most frequently locate resources that need to be accessed from both the Internet and the internal network on the DMZ. A DMZ is also known as a perimeter network or screened subnet. and financial organizations. If the organization is spread over vast geographical distances. including infrastructure servers like domain controllers and DNS servers. Large peer-to-peer networks that are designed to handle and share exclusive information (usually multimedia) among its users can also be classified under semi-private networks. firewalls would be placed at the terminal ends of every network segment.2 Perimeter Defense In most cases. . Generally. 2. Specialized application proxies normally placed at the boundaries of network environments can also function as perimeter defense systems. Semi-private networks are most often exclusive subnets of large public networks such as the Internet. Figure 2-8 shows a DMZ setup for a web server application. Securing such enormous processing units often requires security solutions to be highly fortified at the network in addition to using individual server-based security systems. and application servers. Private networks might have exclusive addressing and protocols and do not have to be compatible with the Internet. one at the external periphery and the other at the internal periphery. networks include various types of servers. database servers. A demilitarized zone (DMZ) is a noncritical yet secure region generally designed at the periphery of the internal and external networks. Firewalls (independent or combined with routers) can be ideal choices for securing network perimeters. web servers and FTP servers.4. government institutions. most commercial organizations prefer not to lay down dedicated lines over vast geographical distances. the configuration of a DMZ is such that it is either separated by a firewall from the external network or sandwiched between two firewalls.58 NETWORK AND SERVER SECURITY but under some regulations. the private networks present at each location might be interconnected through the Internet or other public networks. In most common environments. but are not limited to.2 Firewalls For most enterprises. mainly due to cost factors.

However. There are many reasons for an organization to employ firewalls to secure their networks from other insecure networks. such as the following: ▲ Poor authentication: Most network services and applications do not directly use authentication and encryption features. . many organizations have business demands that require them to connect their private network to the Internet or other large-scale networks that are inherently insecure. as they could be too cumbersome or costly. Whenever you connect a network to an insecure network. One of the best ways to arm against attacks from the insecure network is to employ firewalls at the connection point of the insecure network and the internal network.4 BORDER SECURITY 59 Figure 2-7 Router Internet Network Periphery Perimeter Defense Network Segments Perimeter defense between a private network and the Internet. such as the Internet. When such applications are accessed from the outside. you open a large doorway for potential attacks. the applications themselves might not be able to distinguish between legitimate and fake users.2.

A firewall could be highly effective in scanning and logging Internet traffic using these applications. it is relatively easy for an attacker to read packets of communication sessions and acknowledge the respective addresses. Because routing commonly utilizes both source and destination addresses. The filter is also called a rule base or ruleset. This can place resources directly under the control of the attacker who could wreak havoc in no time. Packet filtering generally . With packet filtering firewalls. Packet-Filtering Firewalls Packet filtering is one of the simplest techniques used by firewalls. the hacker can spoof the source address to the destination and vice versa. source and destination port numbers. Figure 2-9 shows an example of a firewall placed between the Internet and an internal LAN to guard against attacks from the Internet. Once this is done. and protocols used. Using such software could create vulnerabilities in the respective networks. are not optimized for security features. you define a filter (a set of rules that determine which packets should be allowed through. Data Server Internal N/W ▲ Weak software: Most purchased software and free software (known as freeware). Crackers are software programs that an attacker uses to launch dictionary attacks on passwords and other sensitive authentication information present on internal networks. or dropped) and the firewall uses that filter to examine data passing in and out of the firewall.60 NETWORK AND SERVER SECURITY Figure 2-8 Firewall Internet Web Server External N/W DMZ A web server in a DMZ. Rules can include source and destination IP addresses. ▲ Scanners and crackers: You have already learned about scanners. In most cases. rejected. ▲ Spoofing: Address spoofing has been a security problem for a long time. the rule base is predefined based on a variety of metrics.

reject the packet. ▲ Address resolution packets such as ARP. ▲ The type of Internet protocols that the packet might contain: Layer 2 and Layer 3 packets carry the type of protocol being used as part of their header structure.4 BORDER SECURITY 61 Figure 2-9 Internet Firewall Internal LAN Firewall between an internal network and the Internet. Rulesets can be devised to block traffic to a particular IP address on the network to lessen the load on the target machine. . Multicast or broadcast packets are normally destined for multiple machines on the network. intended for appropriate handling at the destination machines. Unicast packets have a single destination IP address and are normally intended for a single machine. ▲ Message control packets such as ICMP. ▲ The destination IP addresses: Destination IP addresses are the intended location of the packet at the receiving end of a transmission. or drop the packet: ▲ The source IP address of the incoming packets: Normally. IP packets indicate where a particular packet originated. occurs at Layer 3 of the OSI model and employs some of the following metrics to allow a packet through the firewall. These packets could be any of the following types: ▲ Normal data-carrying IP packets. Approval and denial of a packet could be based on the originating IP addresses. Such measures can also be used to block unauthorized access to highly confidential machines on internal networks.2. ▲ UDP packets. You can usually choose to allow only packets from certain addresses or subnets or to block packets from specific addresses or subnets.

62 NETWORK AND SERVER SECURITY ▲ RARP. For example. Many packet-filtering firewalls cannot detect spoofed IP or ARP addresses. 3. The main advantage of packet-filtering firewalls is the speed at which the firewall operations are achieved. Because packet-filtering techniques work at OSI Layer 3 or lower. Stateful Packet Filtering Stateful packet-filtering (also called stateful inspection) techniques use a sophisticated approach. Packet-filtering firewalls are not without drawbacks. The normal practice is to employ additional safety measures inside the DMZ with the packet filtering firewall set up at the external periphery. Thus. Most often. while still retaining the basic tenets of packet-filtering firewalls for their operation. ▲ Boot-up protocols such as BootP. The The The The source address source port destination address destination port . Information about the incoming port and outgoing port in the router of the packet can be utilized to define filtering rules. packet filters are ineffective at filtering on this Layer 3 information. As you’ll recall. or DHCP). Because most of the work takes place at Layer 3 or below in the network stack. and destination ports can be incorporated when creating the filters. ▲ IP address assignment packets (Dynamic Host Configuration Protocol. The connection pairs can usually be singled out with the following four parameters: 1. Though packet filtering is accomplished at the OSI model’s Layer 3 and below. application-specific attacks can easily creep into internal networks. 4. Such routers route packets and drop packets based on firewall filtering principles. acknowledgment messages. using packet-filtering firewalls is highly effective in protecting against denial-of-service attacks that aim to bog down sensitive systems on internal networks. a packet-filtering firewall does not require complex application-level knowledge of the processed packets. Network address spoofing is a primary tool employed by willful attackers on sensitive networks. 2. Layer 4 manages connections. When an attacker spoofs network addresses such as IP addresses. sequence numbers. Layer 4 attributes such as TCP requests. it is impossible for them to examine application-level data directly. Packet-filtering firewalls can be integrated into routers. packet-filtering firewalls are employed at the periphery of an organization’s secure internal networks because they provide a good first line of defense. Filtering can be based on the protocol information that the packets carry.

Users might notice a decrease in performance when accessing resources on the other side of the firewall. . customers and legitimate remote users might find it exceedingly difficult to get past the firewalls. Even though stateful inspection firewalls do a good job of augmenting security features generally not present on packet-filtering-based firewalls. they cannot completely access higher-layer protocol and application services for inspection. When too many restrictions are defined. packets are forwarded based on the ruleset defined on the particular connection. client requests originating from inappropriate ports can be denied access to the server. like packet-filtering firewalls. they are not as flexible or as robust as packet-filtering firewalls. Stateful inspection techniques use TCP and higher-layer control data for the filtering process. Another potential drawback to stateful inspection firewalls is that. Normally the TCP at Layer 4 of the OSI network stack uses such connection mechanisms for communication and. Figure 2-10 shows the stateful packet-filtering process. after the connection is validated. For example. You must also be cautious when designing the filters.4 BORDER SECURITY 63 Figure 2-10 Firewall Rule Base External Host State Table Firewall Log Book Internal Server Stateful inspection firewall architecture. thus. Similarly. As the number of connections increases (as often is the case on largescale internal networks). Most of the higher-level firewalls present in the market are stateful inspection firewalls. Incorporation of the dynamic state table and other features into the firewall makes the architecture of such firewalls complex in comparison and negatively affects the speed of operation. firewalls might invalidate packets that contain port numbers higher than 1023. This can result in loss of business or poor productivity for commercial organizations. the state table contents expand to a size that causes congestion at the firewall. and. The connection information is maintained in state tables that are normally controlled dynamically.2. Each connection is logged into the tables. differs from the connectionless IP present at Layer 3.

Protocols for which application proxy agents can be set up include the following: ▲ HTTP ▲ FTP ▲ SMTP Because these firewall activities take place at the Application level and involve a large amount of data processing. Because applications are completely shielded by the proxy and because actions take place at the application level. attackers can compromise the firewall itself to get around security measures. All that the remote user sees is the proxy. A thorough analysis of the protected architecture and its vulnerabilities has to be performed for an effective firewall installation. such as passwords and biometrics. A proxy is a substitute for terminating connections in a connection-oriented service. fortifying security implementations. Huge losses can result . proxies can be deployed in between a remote user (who might be on a public network such as the Internet) and the dedicated server on the Internet. When improperly configured.64 NETWORK AND SERVER SECURITY Application Proxy Firewalls Application proxy firewalls generally aim for the top-most layer (Layer 7. the server only sees the proxy and doesn’t know the true user. When firewalls are compromised by a clever attacker. Attackers can also leave back doors that might be unseen by firewalls. These trapdoors become potential easy entry points for a frequently visiting attacker. the Application layer in the OSI model) for their operations. Disadvantages of Firewalls There are some inherent disadvantages of installing firewalls. so he or she doesn’t know the identity of the server he or she is actually communicating with. The proxy can be an effective shielding and filtering mechanism between public networks and protected internal or private networks. he or she might be able to compromise the information system and cause considerable damage before being detected. Proxy agents are application. these firewalls are very effective for sensitive applications.and protocol-specific implementations that act on behalf of their intended application protocols. Authentication schemes. However. dedicated supplementary proxies can be set up to aid the work of the main firewalls and proxy servers. firewalls might block legitimate users from accessing network resources. For example. The main disadvantage is the cost involved in installation. application proxies are more expensive and slower than other firewalls. application proxies offer the best security of all the firewall technologies discussed here. Similarly. can be set up for accessing the proxies. Figure 2-11 shows a comparison of the firewall technologies. Moreover. In many cases.

hosts from inside the protected networks (with a private address) are able to communicate with the outside world. 2.2. port associations (on the NAT system) are used to map a request for a service to an IP address on the internal network.4 BORDER SECURITY 65 Figure 2-11 Packet Filtering Speed State Inspection Application Proxy Security Comparison of firewall technologies. The main feature in NAT is the translation table. but systems that are located outside the protected network have to go through the NAT system to reach internal networks. this mapping is not one-to-one. Normally. The translation table maps public IP addresses and ports to internal private IP addresses.3 Network Address Translation Network Address Translation (NAT) is the commonly used term for a service that translates private addresses that are normally internal to a particular organization into routable addresses on public networks such as the Internet. A single public IP address might be mapped to more than one private IP address.4. when potential users and customers are not able to access network resources or proceed with transactions. Any packets from the outside attempting to reach a particular host on the private network use the public IP address and a port number. Many denial-of-service attacks such as SYN flood and ping of death can be prevented using NAT technology. Typically. Most NAT services actually use Network Address Port Translation (NAPT) or Port Address Translation (PAT) to connect multiple computers to the Internet (or any other IP network) using one IP address. It is the responsibility of the NAT service to use the translation table to find out the particular private address to . Usually. NAT complements the use of firewalls in providing an extra measure of security for an organization’s internal network.

20 Port 6055 Destination = 203. and a highly secure network. an internal network. Port 6055 Source = 203.20 Port 6055 The NAT methodology. FOR EXAMPLE Defining Network Borders You are a network consultant.12.6 Port 80 Client computer 192.25.3. You suggest a stateful inspection firewall at the border between the DMZ and the internal network. These servers store data that should only be accessed by thirty employees.6 Port 80 Source = the customer identified three servers that contain highly confidential assets. You suggest a packet-filtering firewall at the border between the DMZ and the Internet because it will offer the best performance.6 Port 80 Destination = 192.3. The customer has twenty other servers and over three hundred client computers. One of your customers does research and development. NETWORK AND SERVER SECURITY Figure 2-12 Source = 192. A stateful inspection firewall can be configured to prevent unsolicited HTTP traffic from entering the internal network.6 Source = 203.4 Port 6055 Destination = 203.25.168. Client computers need to be able to connect to the Internet. You also implement NAT to allow users to access the Internet through a single IP address.168. You recommend a network with three segments: a DMZ.3.6 Port 80 Destination = 78. When performing a risk analysis. You also suggest a packet-filtering firewall between the private network and the secure network because it will allow you to limit the users who can access the servers on the secure network by the packet’s source IP address. .4 Internet server 203.25.20 NAT Device 78. The company also would like to have a web server that can be accessed from across the Internet and by users inside the private network.5.

Finally. Figure 2-12 shows the technique involved in NAT. 2. Next you learned how to reduce a server’s attack surface by disabling services. Dynamic outbound packets: In this mode. KEY TERMS Address Resolution Protocol (ARP) American Standard Code for Information Interchange (ASCII) AppleTalk Session Protocol (ASP) Application layer (OSI model) Application layer (TCP/IP model) Application proxy firewall Berkeley Internet Name Domain (BIND) BootP Border security Broadcast packet Chargen Connectionless protocol . 2. closing ports. and removing unnecessary peripheral devices. the relationships among the public and private IP addresses are fixed. SUMMARY In this chapter you learned some guidelines for securing the servers on your network.KEY TERMS 67 which the packet has to be routed. Describe how segmenting a network can help prevent attacks. You also learned the steps to take to physically secure a server. SELF-CHECK 1. you learned how to design a segmented network and how to choose the best perimeter defense. Identify the three types of firewalls and the OSI model layer at which each operates. Normally. translation tables are built using two methods: 1. the translation tables get updated automatically as outbound packets are processed from the private network. You learned the importance of the security by design and defense-in-depth methodologies. Static: In this configuration.

68 NETWORK AND SERVER SECURITY Connection-oriented protocol Crackers Data encapsulation Data Link layer Defense-in-depth Demilitarized zone (DMZ) Digital Network Architecture Session Control Protocol (DNA-SCP) Domain Name System (DNS) Echo Extended Binary-Coded Decimal Interchange Code (EBCDIC) Failover system File Transfer Protocol (FTP) Filter Finger Headless server Host-to-Host layer Hypertext Transfer Protocol (HTTP) Internet Control Message Protocol (ICMP) Internet layer Internet Protocol (IP) Internet Protocol Security (IPsec) Internetwork Packet Exchange (IPX) IP address Joint Photographic Experts Group (JPEG) Layered architecture Limiting the attack surface Local Service account Local System account Logical Link layer Media Access Control (MAC) address Media Access layer Motion Picture Experts Group (MPEG) Multicasting Multicast packet Multipurpose Internet Mail Extensions (MIME) Need-to-access environment Need-to-know environment Netstat Network Access layer Network Address Translation (NAT) Network File System (NFS) Network layer Network Service account Network stack Open Shortest Path First (OSPF) Open Systems Interconnect (OSI) model Packet filtering Packet sniffer Perimeter network Personal firewall Physical entry point Physical layer Ping Ping of death Point-to-Point Protocol (PPP) POP3 Port Port scanner Post Office Protocol (POP) Presentation layer Private network Promiscuous mode Protocol .

KEY TERMS 69 Protocol analyzer Proxy agents Public network Remote access server Remote login Remote Procedure Call (RPC) Reverse Address Resolution Protocol (RARP) Rlogin Routing Information Protocol (RIP) Rule base Ruleset Screened subnet Secure File Transfer Protocol (SFTP) Secure Shell (SSH) Semi-private network Separation of services Sequenced Packet Exchange (SPX) Serial Line Internet Protocol (SLIP) Session Control Protocol (SCP) Session layer Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Slogin Sockets SSH-2 Stateful inspection Stateful packet filtering State table Systat Tagged Information File Format (TIFF) TCP/IP model Telnet Translation table Transmission Control Protocol (TCP) Transport layer (OSI model) Transport layer (TCP/IP model) Trivial File Transfer Protocol (TFTP) Unicast packet User Datagram Protocol (UDP) Well-known ports .

Providing fire protection is one step in physically securing a server.wiley. The defense-in-depth security strategy involves implementing multiple controls.70 NETWORK AND SERVER SECURITY ASSESS YOUR UNDERSTANDING Go to www. True or false? 6. (c) It can be accessed by Telnet. A port scanner identifies that port 23 is open. Which account should be used to execute a Windows service that requires minimal permissions and does not need to access the network? (a) Local Service (b) Local System (c) Network Service 7. Summary Questions 1. Measure your learning by comparing pre-test and post-test results. (b) It is running the FTP to evaluate your knowledge of server security and network borders. Which layer of the OSI model is responsible for routing? (a) Data Link (b) Network (c) Session (d) Transport 2. True or false? 5. . Which TCP/IP protocol is a secure alternative to Telnet? (a) ARP (b) Finger (c) Rlogin (d) SSH 3. What does this tell an attacker about the computer? (a) It is a web server. Which port is associated with POP3 email? (a) 25 (b) 79 (c) 110 (d) 445 4. (d) It can be accessed by SSH.

There is also a web server that must be accessed by customers and employees. You are a network administrator at a company. customer data. There is a database server that stores accounting data. A firewall should only be used on the border between the Internet and the private network. Which type of firewall can be used to ensure that only responses to a request from an internal host are allowed through? (a) Application proxy (b) Packet-filtering (c) Stateful inspection Applying This Chapter 1.APPLYING THIS CHAPTER 71 8. Which of the following devices can allow an intruder with physical access to a server to steal confidential information? (a) A scanner (b) A USB port (c) A modem (d) A PS/2 port 9. (b) The table below lists some well-known ports and some servers. Which type of firewall operates at Layer 3 of the OSI model? (a) Application proxy (b) Packet-filtering (c) Stateful inspection 11. Ports 20 21 23 25 80 Exchange server Web server FTP server Database server . True or false? 10. and employee data. Identify whether the ports should be open or closed. Some employees work remotely and need access to an FTP server to upload and download files. (a) Describe the justification for running FTP and the web service on different computers. The company uses Microsoft Exchange for email.

72 NETWORK AND SERVER SECURITY (c) Describe the danger port scanners pose to your network. (d) You decide to segment your network using a DMZ. Which servers should you place in the DMZ? (e) What is one way you can allow the Microsoft Exchange server to receive email from an SMTP forwarder on the Internet? (f) What precautions should you take to physically secure the servers? (g) Which servers should include a modem? (h) The database servers are in a locked closet on the internal network. How should you apply access permissions to add another layer of depth to the database servers’ defense? .

workstations also have an attack surface. If you are running Windows XP or Windows Vista. ping can be used to launch a denial-of-service attack. are you using a firewall as border security? If so. and several diagnostic tools. 2. Make a list of the people who have physical access to your computer. what type? Tools or Threats? You Decide Packet sniffers and port analyzers can be used as legitimate troubleshooting tools. 2. How could you improve the physical security of your computer? 3. Give an example of how you would use each tool for legitimate troubleshooting. use the Services utility to view the services running on your system. 1. use ICMP. but can also be used by potential attackers. such as ping. Discuss the impact of the dual nature of packet sniffers and port analyzers on network maintenance and security. Discuss the pros and cons of configuring a packet-filtering firewall to drop ICMP packets. However. Have you thought about the services that are running on your computer? How about your computer’s physical security? 1. Does your computer connect directly to the Internet? Is it part of a private network? 5.YOU TRY IT Analyzing the Attack Surface of Your Computer Although typically not as critical as a server. If it’s on a private network. 4. The ICMP protocol is also useful for diagnosing problems. 3. 73 .

What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ History of cryptography Symmetric encryption Asymmetric encryption Hashes Public key infrastructure (PKI) Certificate Authority hierarchy Issuing and revoking certificates After Studying This Chapter. You’ll Be Able To ▲ ▲ ▲ ▲ ▲ ▲ Identify the characteristics of strong encryption Identify cryptography primitives Describe how symmetric encryption works Describe how asymmetric encryption works Describe the role of a hash in ensuring data integrity Describe how public key infrastructure (PKI) allows you to securely manage and distribute certificates ▲ Design a Certificate Authority hierarchy ▲ Design a certificate enrollment and revocation strategy .com/college/cole to assess your knowledge of cryptography and public key infrastructure (PKI).3 CRYPTOGRAPHY Starting Point Go to www.wiley. Determine where you need to concentrate your effort.

3. days. Leaders needed to deliver data secretively to generals on the battlefield. symmetric encryption. Finally. From there we briefly overview how the XOR process is used in cryptography. protecting them . before the advent of computers. Following that. But before we discuss the algorithms used today. This chapter begins with a brief overview of the history of cryptography. Caesar would encrypt his messages before giving them to messengers.1 CRYPTOGRAPHY OVERVIEW 75 INTRODUCTION While much of security involves the process of putting up walls to prevent an attack or managing risk when an attack occurs. 3. let’s look back at some of the earliest methods of encryption and analyze why they are easy to crack. asymmetric encryption. and authentication can help you make good decisions about how to use various technologies that are based on them. Next we’ll overview the four key areas of cryptography. The chapter concludes with a look at public key infrastructure (PKI) and a brief look at designing your own infrastructure for issuing digital certificates.1 A Brief History of Cryptography Mankind has had a need to encrypt data since long before computers were invented. cryptography (the science of changing plain text by substituting or transposing characters) plays an important role in an overall security scheme.3. Substitution Ciphers As far back as Julius Caesar. or years because it depended solely on human ingenuity and effort. and authentication. cryptography was used to protect messages. the cryptographic algorithms must be made stronger to keep data secure. we’ll introduce the cast of characters that are commonly used when discussing cryptography. which can try millions of combinations each second. A basic understanding of cryptographic algorithms (step-by-step procedures or mathematical formulas used to solve problems) and their role in providing confidentiality. and lovers sent messages to each other in code. analyzing and finding the weakness in a cryptographic algorithm (a process known as cryptanalysis) could take hours. integrity. integrity. we’ll take a short look at the history of cryptography and the vulnerabilities of a few historical algorithms. As computers become more powerful. and hashes. The earliest forms of cryptography were easy to crack by today’s standards. Today’s cryptographic algorithms are broken by computers. the chapter discusses the four main areas of cryptography: random number generation. known as cryptographic primitives.1 Cryptography Overview In this first section.1. However. Cryptography is an essential part of providing data confidentiality.

if you were to encode the word cryptography. where the letters in the top row are in plain text (data in its unencrypted. from being read while in transit. you would look up the letter c in the top row and find the letter f corresponding to it in the bottom row. trying to decode fubswrjudskb into cryptography might seem like an impossible task. Caesar used a simple method of encryption called a substitution cipher. Using this encryption scheme. making sense of the words. Without the table. unreadable form). b to g. This value is known as the shift. mapping plain text letters to cipher text letters. Caesar used to replace each letter in the alphabet with the letter three letters to the right of it. To determine the table. you need to know the offset used to calculate the cipher text. When this sentence is encrypted with the Caesar cipher. readable form). some cryptanalysts (people who analyze and crack cryptographic algorithms) realized that breaking such a cipher was very easy. For example. consider the following sentence: The enemy plans to wait until the storm ends to attack. This table acts as the key for the algorithm. This mapping is shown in Figure 3-1.76 CRYPTOGRAPHY Figure 3-1 a b c d e f g h i j k l m n o p q r s t u v w x y z d e f g h i j k l m n o p q r s t u v w x y z a b c Caesar’s encryption scheme. Applying this process to all the letters yields the following: Plain text: cryptography Cipher text: fubswrjudskb An encryption algorithm requires both plain text and a key (a piece of data used with encryption and decryption) to create cipher text. or cipher. The key in this algorithm is the table shown in Figure 3-1. the letter a might be mapped to f. wrapping around at the end of the alphabet. However. and so on through the alphabet. and the ones in the bottom row are the corresponding letters in cipher text (data in its encrypted. Another drawback of a simple substitution cipher is that it is prone to frequency analysis. A substitution cipher maps each letter in the alphabet to another letter. you obtain the following cipher text: . Frequency analysis uses the fact that some letters in the English language appear more frequently than other letters. they needed to try at most 25 different substitutions or rotations of the alphabet before the cipher text would be converted into plain text. For example.

. Using the same sample message. To obtain the plain text from the cipher text by brute force methods (the process of working through all possible keys until the proper key is found that decrypts cipher text into plain text) would take a very long time even with today’s computers because the size of the key is not known. and so on until reaching z ϭ 25. You only need to decode a few characters to know that this is not the correct shift value: esppyp You would then continue with the next most likely shift value. the Vigenere cipher. cryptography. and repeating the keyword as many times as needed to compensate for the length of the plain text. you would begin by attempting to decode using the most likely shift value. The Vigenere cipher works by using a keyword and substituting plain text letters for cipher text letters according to the keyword. to determine the shift value using frequency analysis. and the keyword luck.1 CRYPTOGRAPHY OVERVIEW 77 wkhhqhpbsodqvwrzdlwxqwlowkhvwruphqgvwrdwwdfn The six most common letters used in English language text are e. i. Vigenere’s cipher assigned a number to each of the letters in the alphabet and then added the value of each letter in the keyword to the value of each letter in the plain text to obtain the cipher text. 26 combinations for each letter in a 3-letter keyword. and then next. making it more secure. and so forth. which in this case would be substituting the letter e for each occurrence of w (a shift value of 18). you would need to try 26 combinations for each letter in a 2-letter keyword. instead of a simple rotation of the alphabet. The Vignere cipher uses a method known as polyalphabetic substitution. A different key was constructed for each message. Notice that using frequency analysis made it more likely that you would discover the key in the first five or six attempts. Vigenere Cipher In the sixteenth century. The numbering for the alphabet was simple and always remained the same: a ϭ 0.3. 26 was subtracted from this value to obtain the cipher text character. Blaise de Vigenere proposed a more secure encryption algorithm. and s. the plain text is encrypted into nlazeiibljji as shown in Figure 3-2. To use a brute force method. The most frequent letters in the cipher text are w (8 occurrences) and h (5 occurrences). you would need to try keys of different sizes and all combinations of letters for each key size. If the value of the two letters added together was larger than 26. until you try a shift value of 3 and reveal the correct plain text. So. However. This process was repeated for each letter in the plain text using the next letter in the keyword. a. For example. b ϭ 1. t. r.

the agent shifted the position of the first letter of the plain text by the first number in the pad. One-Time Pad The one-time pad was used by the military to communicate covertly between field agents. The second letter of the plain text was shifted by the second number in the pad. both Friedrich Kasiski and Charles Babbage independently developed similar techniques for cracking the Vigenere cipher. The Vigenere cipher was considered unbreakable for 300 years. Therefore. To encrypt a message. as shown Figure 3-3. The cipher was also not as vulnerable to frequency analysis because a specific plain text letter would not always appear as the same value in the cipher text. Then in the 1800s. if you can discover the length of the key. Two copies of each pad were made.78 CRYPTOGRAPHY Figure 3-2 Plain text Key Plain text values Key values Cipher text values Cipher text C L 2 11 13 N R U 17 20 11 L Y C 24 2 0 A P K 15 10 25 Z T L 19 11 4 E O U 14 20 8 I G C 6 2 8 I R K 17 10 1 B A L 0 11 11 L P U 15 20 9 J H C 7 2 9 J Y K 24 10 8 I Encryption with the Vigenere cipher. you can break the cipher text into multiple simple substitution ciphers. Using our previous example. This continued until all of the letters in the plain text were encrypted and the resulting Figure 3-3 Plain text Key Plain text values Key values Cipher text values Cipher text Simple cipher C L 2 11 13 N 1 R U 17 20 11 L 2 Y C 24 2 0 A 3 P K 15 10 25 Z 4 T L 19 11 4 E 1 O U 14 20 8 I 2 G C 6 2 8 I 3 R K 17 10 1 B 4 A L 0 11 11 L 1 P U 15 20 9 J 2 H C 7 2 9 J 3 Y K 24 10 8 I 4 Breaking the Vignere cipher text into simple substitution ciphers. . Their techniques hinge on the weakness that the key is applied repeatedly to generate the cipher text. Each agent was given a pad of paper that contained randomly selected numbers between 0 and 25. if you know that the key length is 4 letters. you can independently crack four different simple substitution ciphers. One was given to the agent and the other was kept at the headquarters the agent was to communicate with.

It was the different speeds at which these rotors advanced and the ability to change rotors that provided the machine’s security. essentially breaking Enigma.3. Assuming the numbers were randomly created. Purple was modeled after Enigma but used telephone stepping switches instead of rotors to create the character mappings. or primitives. and the primitives are closely connected. 3. making the machine weak. even across multiple messages. Government also eventually broke Purple during World War II. you should be able to read any standard that references them and understand protocols built by using them.1 CRYPTOGRAPHY OVERVIEW 79 cipher text was left. This poor assumption and design decision greatly reduced the number of possible combinations for substitution. they simply reused the pad starting from the beginning. instead of the substitution being simple. Following the Germans’ lead. A variation of the one-time pad algorithm was used for encrypting radio communications well into the 1980s.1. the Japanese created a machine called Purple. it had logistical flaws. Ciphers that Shaped History The idea of substituting one letter for another carried on to World War II. However. it was the Germans’ belief that letters in plain text should not be substituted for the same letter in cipher text that proved to be its downfall.S. it was a complex set of substitutions that changed while the message was being typed.2 Cryptographic Primitives Cryptography is best understood by breaking it into four main areas. While this idea was completely secure. Purple proved very important in the war because it was used to encrypt diplomatic communications that hinted at the Pearl Harbor attack. This reuse of the pad. Rotors in the machine tracked these substitutions. Also. The U. where the Germans created a machine called Enigma that worked on the same basic principle of substituting each letter for another. caused the same problem the Vigenere cipher had. While the design and construction of cryptographic primitives . With the agents unable to obtain a new pad. With a full understanding of these primitives. While the machine was very complex and did a good job of encryption. The numbers could not be generated randomly and they would repeat or have patterns that could be detected and reproduced by an agent who carelessly discarded part of the pad. All of cryptography is based on these four primitives. Each unit had a different code book that was changed each day. the pads were usually not long enough for more than a few messages. The United States and Great Britain captured and duplicated the Enigma machine and were eventually able to decrypt messages without the key. the cipher text was completely secure and only the agent and headquarters could decrypt the message.

Random Number Generation The first cryptographic primitive is the generation of random numbers. there are algorithms that create pseudorandom numbers. confidentiality is not achieved. are defined here: ▲ Confidentiality: Only the parties that should be able to obtain the information are able to obtain it. 4. Both known and unknown changes are included in the definition of integrity because things such as network errors are considered a breach of integrity even though they are not a deliberate attack. or. most of the time the primitives are used together to obtain the CIA goal. more accurately. it is important to understand how they work and interact from a high-level perspective. often discussed using the acronym CIA. or numbers that appear to be random. If an attacker can decrypt a message without the required key. Cryptography has three main goals. ▲ Integrity: Data has not been modified or changed in any way. which stands for confidentiality. Random number generation Symmetric encryption Asymmetric encryption Hash functions It is also important to understand the goals of cryptography and how these primitives allow the goals to be achieved. These properties. While a computer algorithm can never generate completely random numbers. deliberately or otherwise. 3. however. 2.80 CRYPTOGRAPHY is usually left to experts. For example. Even the simplest encryption algorithms. The numbers created from cryptographic pseudorandom number generators do not have to be 100 percent random—they simply have to be unpredictable . This relates closely to the decrypting of messages by attackers. random bit strings. Data that is delivered from one source to another has achieved authentication if the sender of that data can be proven. Sometimes it is enough to use a single primitive alone to obtain one of the CIA goals. integrity. require the generation of pseudorandom numbers. ▲ Authentication: The proposed source of the data ideally can be verified to be true. such as the one-time pad. The other three are presented later in the chapter. The four basic cryptographic primitives are as follows: 1. it requires all four of the primitives to complete the task of using a credit card to purchase merchandise from a secure Internet site. The first of the primitives is discussed here. and authentication. as they relate to cryptography.

The main problem with this approach is that at some point the algorithm will cycle and you will start seeing the same numbers in the same order. the resulting bit is a 1. the resulting bit is a 0. By recreating the stream of bits used to create the key. There are two basic approaches to generating pseudorandom numbers on a computer.3 XOR Instead of simply rotating characters. 3. its inventors) pseudorandom generator. If an attacker can recreate the stream of bits used to create the keys for any encryption algorithm. and this is believed to be computationally infeasible (though not impossible) if the number is large enough. Instead of using simple addition. resulting in a third string of bits. However. a more modern approach to cryptography uses the XOR (exclusive or) function. which had the problem of the resulting number being larger than the character set. Because creating truly random numbers is not possible on a computer. many interesting techniques have been used to obtain seemingly random numbers. whenever two bits are not the same. The XOR function is a binary operation performed on two strings of bits. and when two bits are the same. it is as if the attacker has been given the key. Table 3-1 shows the results when the XOR function is applied to two values. Both of these algorithms rely on a number of theoretical properties that are outside the scope of this text. Two pseudorandom number generators that are cryptographically secure are the Blum-Blum-Shub pseudorandom generator and the RSA (which stands for Rivest. The first is to design an algorithm that will create what appears to be random numbers. In general terms.1. and Adleman. This is called depth and is very dangerous because the repeated bit stream makes it easier to break encryption.1 CRYPTOGRAPHY OVERVIEW 81 to an attacker.3. XOR can be used in the same Table 3-1: XOR Results A 0 0 1 1 B 0 1 0 1 A XOR B 0 1 1 0 . Shamir. these algorithms are believed to be relatively secure because they require the factoring of large numbers in order to be broken. an attacker can recreate the key using the same method because all good encryption algorithms are published.

The names chosen are not unique to this book. this method of encrypting is highly secure. He only communicates with Alice. and the values generated for the key are done so randomly. but only one returns the proper results. 3. ▲ Cathy: Another user of cryptography. ▲ Trent: He is a trusted third party. A XOR C ϭ B. The following are used to designate people or computers. she does not usually have a large role nor malicious intentions. XOR also has a very nice inverse property just like addition. then C is the resulting cipher text after encryption using the XOR function. . Without the key it is impossible to know what the plain text was. or Cathy when they ask for his help. If the key is just as long as the plain text. without malicious intentions. you simply reapply the XOR function to C and B or the cipher text and the key. in fact. Familiarize yourself with them because they will often be used to describe a cryptographic protocol without further definition. The reason for the names is no more complex than the first letter of their names. Bob. and B XOR C ϭ A. one of the main users of cryptography. ▲ Bob: He is Alice’s friend and is also a main user of cryptography. “Computer A sends a message to computer B. If A represents a plain text character and B represents a key character. we need to introduce some people that will be used for example purposes throughout the rest of this chapter. almost all cryptography explanations use these names. For example. A XOR B ϭ C. ▲ Mallory: The malicious user who is always trying to thwart attempts by other characters to communicate securely. The cast of characters is as follows: ▲ Alice: She is an end user/computer without malicious intentions.” “Alice sends a message to Bob” is used instead. She simply wants to eavesdrop on the conversation between two other characters—typically Alice and Bob—but does not actively try to attack the communication. These characters are used throughout the rest of this chapter.82 CRYPTOGRAPHY way as shifting with the same level of security. Instead of saying.1.4 Cast of Characters Before explaining the other cryptographic primitives. He can always be trusted to do what he says he will do. but without the problem of the result not mapping to a character. All possible values can work for the key. ▲ Eve: A malicious user that does not interfere with communications. To decrypt.

as well as a few tactical terms. 3. Caesar and his cipher. is the most well understood cryptography primitive. Identify the three goals of cryptography. and the main drawback to using symmetric encryption: exchanging keys.2 Symmetric Encryption Symmetric encryption. or single-key encryption. Describe how the Vigenere cipher protects the confidentiality of data better than a substitution cipher. A group of Navaho Indians developed a cryptographic system that mapped nouns and verbs from the Navaho language to the letters in the English language. and the Japanese and Purple are all examples of symmetric encryption. . It is where the whole field really started. SELF-CHECK 1. The code talkers were Navaho Indians. the types of ciphers used by different algorithms. The idea behind symmetric encryption is that only a single key is used to both encrypt and decrypt a message. The algorithm was never cracked because doing so would have required a native Navaho speaker to work with a cryptologist.2. The benefit to using symmetric encryption is that it’s very fast. Native speakers of the Navaho language were deployed as part of the regular armed forces units to encrypt and decrypt the messages. 2.2 SYMMETRIC ENCRYPTION 83 FOR EXAMPLE Windtalkers Another well-known use of cryptography during war is the cryptographic algorithm used by the code talkers (also called windtalkers) in the Pacific Theater during World War II. symmetric encryption can also provide integrity when used correctly.3. In this section we’ll look at how symmetric encryption works. 3.1 Understanding Symmetric Encryption Symmetric encryption is used when Alice wants to provide for the confidentiality of a message she sends to Bob. the Germans and Enigma. Multiple words were associated with a single letter. Identify the four primitives of cryptography. Depending upon the mode of encryption used (modes are explained later in this chapter). 3.

the data no longer needs to be kept confidential. the cipher text. “in a reasonable amount of time. In the world of cryptography. and the resulting data or message is understandable.594. would look different. This means that breaking the algorithm would require 72. Mallory can attempt to open the safe by going through all possible physical configurations for a key until the proper configuration is tried and the safe is opened.2. Mallory is unable to read. That sounds like it is a secure algorithm because we will all be dead by the time the key is discovered. Also.2 Encryption Strength In our lockbox example.” is deliberately vague. Without the key. a specially built machine was used to crack DES in a little over 36 hours.927. 3. because the meaning of computationally secure is ever-changing as the speed of a computer is everincreasing. 3. To unlock a lockbox you must have the right key. Different types of data have different periods of time during which disclosure is a risk. it would take 2284 years to try all of the keys. Stream ciphers normally do not require any padding of the message. most data does not need to be protected forever.936 different keys to be tested to exhaust all possibilities.057.2. Whatever is inside the lockbox is confidential and protected from anyone without the key. . An algorithm is considered computationally secure if the amount of time needed to compute all possible combinations is so large that it cannot be done in any reasonable amount of time. Data Encryption Standard (DES). This definition. After that time has elapsed. The message is considered to be a stream of data in that each byte is processed with the bytes preceding it. from that point forward. how many combinations would an attacker have to try? The answer to that question depends upon the encryption algorithm or cipher used. You might be asking yourself. Because messages are treated as a stream of data they can be of any length and do not need to be padded in any way except to add randomness to common messages. The same key is used to decrypt the data as is used to encrypt the data. Assuming a computer could try a million keys a second. If you were to change the order of any of the bytes in the plain text.84 CRYPTOGRAPHY The best analogy for symmetric encryption is that of a lockbox. In the physical world this key is usually a metal object. Figure 3-4 shows what a stream cipher does. However. and the order is important. Padding is adding extra bits to the message. In cryptography the same is true.037.3 Stream Ciphers A stream cipher uses a single key to encrypt a message or stream of data. Mallory can try all possible key combinations until one works. One popular symmetric encryption algorithm. modify. this key is a set of random bits. has a key of 56 bits. or do anything to the data except destroy it (by destroying the lockbox).

and there is no correlation between the encrypting of one message block and another. the one-time pad. This property is an important one to consider if the message will be sent across an unreliable connection. If any of the cipher text bits are changed.2. A block is considered a certain number of bits and is determined by the algorithm. accumulate. Block ciphers also use a single key to encrypt a message. and count) Panama A5/1 A5/2 FISH (FIbonacci SHrinking) Helix When Alice wants to send a message to Bob using a stream cipher. There are some stream ciphers that do not propagate errors through the entire message. but it is done one block at a time. What this means is that if an error occurs while the message is being sent from Alice to Bob. 3. Figure 3-5 shows what a block cipher does. You have already learned about one type of stream cipher. it will only prevent that section of the message from being decrypted properly. Each block is processed independently. It provides integrity. they must both have the same key and Bob must feed the cipher text into the algorithm in the same order as Alice fed the plain text into the algorithm to encrypt it. Other stream ciphers include the following: ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ RC4 SEAL (Software-Optimized Encryption Algorithm) ISAAC (stands for indirection. it will be obvious to Bob when he decrypts the message.2 SYMMETRIC ENCRYPTION 85 Figure 3-4 Stream cipher T X E T N 6 G Z 8 ! A stream cipher. . add. shift.4 Block Ciphers A block cipher is the other kind of symmetric encryption algorithm.3. This property of a stream cipher is not always a bad thing. Mallory can prevent Bob from decrypting most stream-cipher-encrypted messages by changing the first few bits that Alice sends to Bob.

To prevent the same plain text block always encrypting to the same cipher text block. This will not prevent decryption from occurring. Without knowing what house number was actually sent. Mallory could precompute the message “yes” with all possible keys and then simply match the cipher text seen to the cipher text of a precomputed message. Pla in Tex t Cip her Tex t Because block ciphers have the ability to process a single block of the message independently. Mallory would be able to compute the corresponding key and break all further encryptions. ▲ Cipher-block chaining (CBC): The output block of the previous encryption is XORed with the next block of plain text before being encrypted. So Mallory can change the ordering of the blocks without Bob or Alice knowing. the current block will be corrupted and the changed bit will be inverted in the next block. An error in any block only effects the decryption of that block. . The encryption modes are described as follows: ▲ Electronic code book (ECB): The message is encrypted one block at a time so that one plain text block maps to one cipher text block. Worse yet. However. as would happen with a stream cipher. For example. because no block depends on any other block. the word “yes” will be encrypted to the same cipher text. Although the encryption method provides confidentiality. For example. none of the other blocks are affected. they need to include safeguards to prevent someone from gaining information about the message by seeing repeated blocks. block ciphers use different encryption modes. If a bit is changed in the plain text of one block. Assuming the key size was small enough. If a cipher text bit is changed.86 CRYPTOGRAPHY Figure 3-5 Block Cipher A block cipher. assuming the same key is used. that change is propagated to all subsequent cipher text blocks. Mallory can still change the ordering of the blocks and send Alice “3412. they can be decrypted in parallel. suppose Alice asks Bob what his house number is and his response is “1234. If an entire block is lost during transmission. integrity can be broken. Then every time the word “yes” was sent. CBC does not allow blocks to be encrypted in parallel. if Alice sends the message “yes” to Bob in response to a series of questions.” the wrong house number.” encrypting “12” in one block and “34” in another. Eve would know what message was being sent without needing to decrypt it. Another attack that Mallory can use is to change the order of blocks.

if Block 1 has bits flipped in it during transmission. that error is only propagated to those bits that are changed. DES (discussed previously) is only one of many block ciphers. Triple DES (3DES) applies the DES algorithm to the plain text three times. This is not true for CFB. and Block 2 will have the exact bits flipped where they were in Block 1 during transmission. which was adopted as a standard in May 2002. and promotes technological advances. when using CBC. The primary drawback to 3DES is performance. However. develops technical standards. The later blocks then appear random. the error is propagated to all of the remaining blocks and cannot recover. except that changes to the cipher text are propagated throughout the message. In 2001. Block 1 will be seemingly random. the current block will have that bit inverted and the subsequent block will be corrupted. NIST announced a new algorithm called Advanced Encryption Standard (AES). If an error occurs in one block. For example. If an attacker is going to flip bits while the cipher text is being transmitted. AES has three . ▲ Output feedback (OFB): The output of the encryption algorithm is continually fed into the algorithm while the plain text is XORed with this output. and because the bit changes that do occur happen in a predictable manor to the later blocks. NIST is a United States government agency that performs research. alerting you that tampering has occurred and to not trust anything that comes after the altered block. for a key length of 168 bits. This differs from CBC mode in that the XOR occurs after the encryption of the current text block. because you cannot necessarily tell where the error begins—only that one has occurred. bits flipped in Block 1 are the exact bits that are flipped in Block 1 of the deciphered message. This enables Mallory to cause predictable changes to the message. DES was the original block cipher backed by a National Institute of Standards and Technology (NIST) publication. CBC is used over CFB because the error propagation is usually smaller. The most popular mode is CBC because errors do not propagate throughout the entire message if bits are lost like they do in OFB. PCBC is the mode of operation used in Kerberos (an authentication protocol). if any of the bits are lost. because of the small key size involved in DES. ECB is almost never used because of the reasons stated. If a bit in the cipher text is changed.2 SYMMETRIC ENCRYPTION 87 ▲ Propagating cipher-block chaining (PCBC): Similar to CBC.3. it is always better to receive a random-looking block on decryption. it was only thought to be secure for 5 years because computers today can quickly perform a brute force attack against 56 bits. only two blocks. ▲ Cipher feedback (CFB): The previous cipher text block is XORed with the current encrypted text block. In CFB mode. 56 bits. This differs from CFB because what is fed into the encryption algorithm does not include the cipher text. including a whole block. However.

the ability to use them is still hindered by the fact that the key must be known by both parties before the algorithm can be used. Rijndael. This type of key generation is called using a pre-shared secret. or 256 bits. AES has been approved by the National Security Agency (NSA). 192. this scheme requires that the sending and receiving parties have a pre-shared key with Trent. starting with Trent. government data. A method for generating keys in this . However. Other block ciphers include. Now both Alice and Bob have a common shared key. Trent will then be able to decrypt the key he received from Alice using their preshared key and then encrypt it with a key he has pre-shared with Bob and send it to him. and Bob know what the key is. but she has never met Bob before. The block size is 128 bits.2. AES has gained in popularity and is now a commonly used symmetric encryption protocol. and only Trent. Alice will create a key to be used to communicate with Bob. Also. in a secure manner. the following: ▲ ▲ ▲ ▲ ▲ Desx Blowfish Cast Skipjack Twofish There are many. supports key and block sizes in any multiple of 32 between 128 and 256 bits. but are not limited to.S. Alice. 3. many more. She will encrypt this key using a pre-shared key that she has with Trent and then send the key to Trent. The key is shared between parties before communication begins. Trent. Another way to share a key between two parties is for the parties to create the key on the fly. this scheme has problems. A similar encryption algorithm.5 Sharing Keys With strong block ciphers created. so that they do not have a pre-shared secret key? How then can Alice and Bob communicate securely? They could create keys and encrypt them so no one knows the keys.88 CRYPTOGRAPHY key sizes: 128. what if Alice wants to communicate with Bob. What if Trent is really not Trent at all but Mallory? Now she has the key and can decrypt any communication between the two parties. so keys can be created and shared in a secure manner before communication begins. the other party you are going to communicate with is known. a United States government agency responsible for collecting and analyzing foreign communications and protecting the confidentiality of U. but how are they going to encrypt them without common keys? One way to solve this problem is to use a trusted third party. Often. However. Implementing a system like this would be a huge logistical problem.

and pretends to be Alice when Bob sends a message to Alice. a man-in-the-middle attack can be launched against this type of key agreement protocol. Alice sends Bob the value of the following calculation: ga mod p Bob sends Alice the value of the following calculation: gb mod p Alice calculates the key by using the following formula: Key ϭ (Messagebob)a mod p Bob calculates the key by using the following formula: Key ϭ (Messagealice)b mod p Alice and Bob both calculate the same value for the key. We’ll refer to Alice’s secret integer as “a” and Bob’s secret integer as “b”. Alice and Bob each choose a secret integer. both Alice and Bob agree to use a specific prime number (p) and a base number (g). She pretends to be Bob when Alice sends a message to Bob. decrypts it. reads or changes it. Next. However. When Alice sends a message to Bob using what she thinks is the key Bob has. In a man-in-the-middle attack. as shown in Figure 3-6. With Mallory in the middle of this key exchange. Mallory intercepts the message sent from Alice to Bob and that sent from Bob to Alice. The message is sent. For this protocol to work. and then re-encrypts Figure 3-6 Alice Mallory pretends to be Bob Mallory Man-in-the-middle attack.2 SYMMETRIC ENCRYPTION 89 manner is called a key agreement protocol. for which efficient algorithms do not exist at this time. Eve would need to determine both secrets a and b to arrive at the correct value. One classic key agreement protocol is Diffie-Hellman key exchange.3. she can create her own two secret keys and exchange communications with Alice and Bob forwarding the messages so Alice and Bob are none the wiser. Mallory intercepts it. This is very difficult to do because it would require Eve to solve the discrete logarithm problem. Bob Mallory pretends to be Alice . However. she really uses the one Mallory set up with her.

and for highly confidential data. it is commonly used with authentication mechanisms to help mitigate man-in-the-middle attacks. However. the computational power . You need to identify the acceptable algorithms for symmetric encryption. Now Mallory has full control over the communication channel. Stated another way. You identify AES as being the preferred symmetric encryption protocol because of its strength. Bob receives a message he believes to be from Alice when it is really from Mallory. however. You recommend upgrading all computers running Windows 2000 to an operating system that supports AES. which is a variant of DES.90 CRYPTOGRAPHY FOR EXAMPLE Choosing a Symmetric Encryption Protocol You are on the team to draft your company’s security policy. You identify 3DES as an acceptable algorithm when AES is not available. 2. such as on computers running Windows® XP without Service Pack 1. You do some research and find that by installing Service Pack 1 (or later) on computers running Windows XP or upgrading to Windows Vista™ that you can ensure that files encrypted using the built-in encryption feature Encrypting File System (EFS) will be encrypted using the AES algorithm. it with the key set up between Mallory and Bob. Describe the block cipher encryption methods. It is important to note that asymmetric encryption has the property that figuring out one key from the other should be as hard as decrypting the message without any key. and both confidentiality and integrity are lost because authentication was never established. Describe the purpose of the Diffie-Hellman key exchange. You also discover that Windows Server 2003 uses AES for EFS encryption. you require a key length of 256 bits.3 Asymmetric Encryption Asymmetric encryption requires the use of two keys: a private key that is known only by its owner and a public key that is readily available to those who need to use it. The Diffie-Hellman key exchange is still in use today. 3. Windows 2000 uses DESX. SELF-CHECK 1.

why bother with creating a symmetric key and using symmetric algorithms? The answer to that question is simple—for speed. and begins communicating with Bob using the symmetric key he created.3.3 ASYMMETRIC ENCRYPTION 91 required to decrypt an asymmetrically encrypted message is approximately the same as deducing one asymmetric key from the other. or the person with Alice’s private key. can encrypt data and send it to Alice for only Alice to read. 3.633 1024-bit messages in 10 seconds. Using symmetric encryption is more than 6. 3. assume that your computer can encrypt 35. He uses Alice’s public key to encrypt the symmetric key so no one else can read it. for most algorithms. Assuming both algorithms are secure. In this section we’ll look at how asymmetric encryption can be used for ensuring confidentiality and authentication. Most symmetric algorithms have a key size somewhere around 128 to 256 bits. or anyone else in the world. Remember. Bob creates a symmetric key. But why would you use the symmetric key encryption algorithms at all? If asymmetric algorithms are secure and you already have everyone’s public key. on the same computer you can encrypt 69.893 1024-bit messages in only 3 seconds. Adi Shamir. He sends the encrypted symmetric key to Alice. the only person that can decrypt the cipher text is Alice. Alice receives the encrypted symmetric key. This means only one message (the encrypted symmetric key) needs to be sent from Alice to Bob using an asymmetric algorithm before they can communicate using a symmetric algorithm. it does a very good job of solving the problem of sharing keys. The addition and multiplication of these very large (1024-bit) numbers takes a very long time on computers compared to the binary operations performed in symmetric key encryption. including Bob. the standard for symmetric encryption in CBC mode. 1.5 times faster than using asymmetric encryption.1 Ensuring Confidentiality with Asymmetric Encryption One of the primary uses of asymmetric encryption is to encrypt a symmetric encryption key. has access to this key (Alice’s public key). Even though asymmetric encryption is very slow. Using AES. Now everyone in the world. Now the problem of sharing a symmetric key is easy. 2.5 times slower than the other? Asymmetric encryption is slow because it uses properties of number theory to derive its strength. Alice creates the two keys required for asymmetric encryption and publishes one of them to the world. 4. decrypts it with her private key. This means Bob. Using RSA (a standard asymmetric encryption algorithm developed by Ron Rivest. why would you use one that is 6. and Len Adleman). These keys can be encrypted in a single asymmetric message block.3. .

The policy must describe accepted practices regarding downloading code from the Internet. We’ll discuss hash functions next. You know that one option you can select is to enable. really slow. You know that a digitally signed ActiveX control provides you the assurance that the party that signed the control developed the code. disable. Now anyone can read Alice’s message and can also verify that it truly came from her and no one else. the message is represented as a smaller message which is signed by Alice and sent along with the unencrypted original message.3. it would be slow. Does this mean digital signatures are really slow as well? If the digital signature implementation encrypted the entire file.2 Digital Signatures A digital signature encrypts a message with a private key so that anyone can read it. You go about making this smaller message that represents the larger one with a hash function. but prevent them from downloading unsigned controls. This smaller message is so small that it takes only a tiny amount of time to sign. To alleviate this problem. signature document document hash verify public verification key yes/no verifier FOR EXAMPLE Using Digital Signatures You are on the team that is drafting the company’s security policy. You decide to permit users to download signed controls. Figure 3-7 signer document hash sign private signature key Digital signature of a hash. but verify that it came from the holder of the private key because only the person who holds the private key can create cipher text that can be decrypted using the public key. or prompt the user before downloading unsigned ActiveX controls.92 CRYPTOGRAPHY 3. Using asymmetric encryption is really. .

the standard for hashing.3. The way in which these hash functions compute a digest from an arbitrarily large message is beyond the scope of this course.2 times faster than AES can encrypt those messages. 2. SHA-1 can compute digests 3. Given a digest.4 HASHES 93 SELF-CHECK 1. Hash functions are used to provide better performance when signing large blocks of data using asymmetric encryption. SHA-1. when storing a password. One example of a proprietary hash function is Message-Digest algorithm 5 (MD5). Based on the performance of most modern computers. and to create pseudorandom data. In that same 3 seconds (given the same computer performance). only the . The computation required to compute a digest is very small. 69. fixed-size message called a digest or hash (we will use the term digest to refer to the product of a hash function). It is computationally infeasible to find two messages that can hash to the same digest. These properties not only make hash functions very useful in the application of digital signatures but also in storing passwords.893 1024-bit messages could be encrypted in 3 seconds. we’ll discuss how a hash function works and its uses. simply reading a file off of the hard disk requires approximately the same amount of time as computing the hash while doing it. For example. to provide integrity.800 1024-bit messages. In this section. in authentication protocols. there are three properties of all hash functions that make them very valuable. Because the original message cannot be discovered from a digest.1 Hash Functions A hash function takes a message of any size and computes a smaller. 3. 3. 3. 1. it is computationally infeasible to find the original message that created this digest. it is computationally infeasible to find a second message that will create the same digest. 2. remember in the previous example that with AES in a CBC chain. Given a digest.4 HASHES The final primitive of cryptography is hash functions. however. Compare asymmetric encryption with symmetric encryption. Identify the cryptography goal addressed by digital signature. can hash 224.4.

You demonstrate how a change to the code will cause it to hash to a different value. One issue to consider with hash functions is its resilience to hash collisions. the message’s digest will be changed as well.3 A Vulnerability When Protecting Passwords Going back to password storage with a hash function.2 Using Hash Functions to Ensure Integrity A message always hashes to the same digest no matter how many times you compute it. A hash collision is the probability that the same hash will be generated from different data. Of the two. 3. So instead. The only way to change what digest is created is by changing the message. . anyone can read the file containing the passwords. This property provides the proof of message integrity.94 CRYPTOGRAPHY FOR EXAMPLE Using Hashes with Digital Signatures You present the security policy on downloading code to the management team at your company. One of the managers expresses concern that an ActiveX control might be signed and later modified by an attacker in such a way that it does something malicious. This way. Mallory has discovered the password. who is looking to attack this type of password scheme. Alice must only compute her message’s digest. they create weak passwords like “fluffy”. To protect message integrity. such as xSok32$lK329@)O. one simple way of preventing this is to randomly salt the password before it is hashed (see Figure 3-8). digest needs to be stored. When Bob receives the message he can compute the digest the same way Alice did. their cat’s name. CRHF is considered to be more secure. If Mallory changes a message while it’s in transit. Mallory.4.4. and send the digest encrypted with Bob’s public key to Bob along with the message. 3. If one of the digests from the dictionary matches one in the password file. You explain that the implementation of code signing creates a hash of the program and signs that. signed code guarantees integrity as well as authentication. users do not like passwords and have trouble remembering good ones. can compute the digest of all the words in a dictionary and compare those digests to the one stored in the password file. However. and verify that the message has not been altered in any way. but no one can use this information to figure out someone’s passwords. Therefore. There are two algorithms that attempt to deal with the problem: Universal One Way Hash Function (UOWHF) and Collision Resistant Hash Function (CRHF).

. computing a few extra thousand digests for all the words in the dictionary makes a brute force attack more difficult to carry out. The following is a method for creating pseudorandom data: 1. To verify the user’s password. the message is larger than the digest. this password is not correct. 3.4 HASHES 95 Figure 3-8 password Salt with pseudorandom value Hash hash Salting. Instead. The original seed and the digest must be used together because the digest alone is too small to compute a digest from. because hashing is a fast computation. If one of them matches.4 Creating Pseudorandom Data with Hash Functions Bringing the discussion of cryptographic primitives full circle. though. However. The random data that is added is not too random. or no one would be able to verify the password. However. The resulting digest will be pseudorandom and the first number generated. As computers grow faster. all combinations of the password and the random piece of data must be computed.4.3. create a new message. Using this number and a combination of the original seed. This randomly selected piece of data is concatenated to the password and then hashed. computing a few extra thousand digests for a single password is not a big deal. Remember. If none of them match. This might seem like a lot of work. the number of different salting values used is increased. Salting is the addition of pseudorandom data to a message before it is hashed so that the aforementioned dictionary attack cannot be carried out. hashing algorithms can be a great source of pseudorandom data. you can verify the password is correct. Seed a hash function with a short random message. 2. the random data is chosen from one of only a few thousand possibilities.

If the hashes are the same. When the user needs access to the network because he forgot his smart card.5 Keyed Hash Functions While most hash functions do not require any sort of key to create their digests. .96 CRYPTOGRAPHY FOR EXAMPLE Using Hashes to Solve a Common Administration Problem It happens all the time. It then stores the hash for later use. it is important to know that such functions exist. This new digest is another pseudorandom number. the number of hashes needed to cause the algorithm to cycle is considered computationally infeasible. This is exactly like a one-time pad. This same basic method can be used to create a stream cipher. the hashing algorithm will eventually cycle. Then use the output of the hash function XORed with the plain text to create the cipher text. However. This process is continued for as long as needed. 3. Being able to create a message key combination that hashes to the same digest should be computationally equivalent to enumerating through all the keys. the user can be granted emergency access to the network. the user can still gain access by answering the questions. SELF-CHECK 1. Any regular hash function can be turned into a keyed hash function and vice versa. What do you do? RSA®’s Sign-On Manager’s IntelliAccess™ uses hashes to solve this problem. Like any pseudorandom function. The idea behind these functions is that they hold all of the same principles as a regular hash function and that they have the additional property of the digest not able to be created without the proper key. 3. A user forgets his password or leaves his smart card at home. there are hash functions designed to require keys.4. Sign-On Manager hashes the user’s answers and compares them with the ones he provided previously. However. IntelliAccess asks the user a number of questions and hashes their answers. but using a hash function as the random number generator. or password. Simply use the key as your seed message. Describe the reason password digests are salted. He needs to be able to log on to the network. PIN.

5 Achieving CIA As a review. It is important to note that while these scenarios demonstrate the ability to ensure these properties. To accomplish this. Confidentiality is ensured. 3. message integrity in the second. 3.5 ACHIEVING CIA 97 3. she can use a hash function and asymmetric encryption. Bob is able to verify that the message has not been altered because he too can compute the message’s digest and verify it with the digest sent with the message.1 Confidentiality Alice wants to send a message to Bob without anyone else being able to read it. is able to read the message because he has the symmetric key that was sent encrypted with his public key. For all four scenarios. This can be accomplished using symmetric encryption and asymmetric encryption. Alice sends the encrypted symmetric key to Bob. they are not the only way to ensure them. 1. message authentication in the third. 3. 2. and only Bob. as follows: 1. 2. We’ll consider four scenarios in which Alice is sending a message to Bob. She requires confidentiality in the first scenario. Integrity is ensured.5. assume that Alice and Bob have traded public keys and that they trust these public keys. Alice hashes her message and encrypts the resulting digest with Bob’s public key. Bob.2 Integrity Alice wants to send a message to Bob and ensure the message is not changed during transmission. Mallory cannot change the sent digest because it is encrypted with Bob’s public key. and all three in the fourth scenario. and sends the message to Bob. Alice creates a symmetric key and encrypts it using Bob’s public key. . let’s look at how the four cryptographic primitives can be used to achieve CIA. 4. 3.5.3. Alice sends the message and the encrypted digest to Bob. Mallory cannot change the message because the computed digest would not match the sent one. To do so. Alice encrypts her message using the symmetric key and a symmetric key algorithm.

4. . Authentication is ensured. even to send the shortest message. 2.5. multiple encryptions.4 CIA Alice wants to send a message to Bob and in the process make sure that no one else can read the message. Sometimes. 3. This is why the fastest algorithm should be used when appropriate. Alice creates a symmetric key and encrypts the key with Bob’s public key. Alice computes a digest of the message and digitally signs it. Bob can verify the signature because he has Alice’s public key. 2. Alice encrypts her message and the message’s signed digest using the symmetric key and sends the entire thing to Bob. The only person that could create such a signed digest is Alice because only Alice has her private key. and prove to Bob that she was the sender of this message. ensure that the message does not change. To do this. 6. 3.3 Authentication Alice wants to send a message to Bob and prove to Bob that she was the sender. hashing. While the last protocol seems a bit extreme. as follows: 1. She sends the message and the signed digest to Bob. Bob is also able to prove to himself that Alice was the sender because only she can sign the digest so that it is verified with her public key (authentication). This is part of the reason why speed is so important in cryptography. signing. 7. Bob. it ensures confidentiality. 1. Multiple protocols will ensure any combination of the three CIA properties. and decryption must be performed. Each protocol has its advantages and disadvantages. can decrypt the symmetrically encrypted message and signed digest because he has the symmetric key (confidentiality). integrity. The protocol used to complete a task is sometimes more important than the primitive used. and authentication. He can also verify that the digest belongs to that message because he can compute the digest. Always make sure standards are followed when implementing any primitive or protocol. 5. 8. Bob is able to receive the symmetric key from Alice because only he has the private key to decrypt the encryption. Alice hashes her message and digitally signs the digest using her private key. 3. He is able to verify that the message has not been altered because he can compute the digest (integrity).5. verifying.98 CRYPTOGRAPHY 3. She can accomplish this using only a hash function. and only Bob. Alice sends the encrypted symmetric key to Bob.

To ensure confidentiality. we’ll overview some certificate management functions.1 Digital Certificates X. and the signature of the validator of the information in the certificate (the validator is called a certificate or certificate authority.509 certificates.6 PUBLIC KEY INFRASTRUCTURE (PKI) 99 FOR EXAMPLE Understanding Pretty Good Privacy Pretty Good Privacy (PGP) encryption is a freeware encryption program developed by Phil Zimmermann in 1991. Describe the most optimal way to provide integrity. asymmetric keys. let’s turn our attention to digital certificates and how they can be securely distributed. Finally. Describe how you can securely exchange symmetric keys. It uses symmetric keys. 2. The public key can be distributed to third parties. are electronic documents that contain information about the owner of the certificate. 4. 3. We’ll first define digital certificates and then examine how to design a secure public key infrastructure (PKI) using Microsoft®’s Certificate Services. also known as digital certificates or just certificates. sender encrypts the shared key using the recipient’s public key. Users obtain a private key and public key pair. recipient decrypts the shared key using his private key. 2. The sender creates a digest of the message. the public key of the owner. PGP uses the following strategy to ensure authentication and integrity: 1. The sender creates a digital signature of the digest using his private key.6. PGP uses the following strategy: 1. and hashes to provide CIA. The The The The sender encrypts a message using a shared key. The recipient creates a digest of the message and uses the signature algorithm with the sender’s public key to determine whether the digests match.6 Public Key Infrastructure (PKI) Now that you understand the key elements of cryptography and why they are important. recipient decrypts the message using the shared key. 3. 2. 3. .3. 3. SELF-CHECK 1.

3.100 CRYPTOGRAPHY Figure 3-9 X. these templates are called certificate templates. or CA).2 Public Key Infrastructure A public key infrastructure (PKI) is the technology. you cannot trust the information in the certificate because it could have been forged or manipulated in transit. along with their values. The creation. For instance. The main function of a certificate is to link a public key to the information about a user or computer contained in the certificate. and services that allow an organization or organizations to securely exchange information and . These applications will use certificates for everything from encrypting email and securing web communications to encrypting files. Windows Server 2003 provides templates for generating certificates for various applications. and revocation of certificates require an infrastructure to help manage the processes. software.509 certificate contains a number of fields. verification. The strength of certificates comes from a trusted third party certifying that the certificate information is valid and that the document has not been altered in transit. Of course. There are different types of certificates for different applications. The X. anyone can create a certificate and say that he or she is from Microsoft or from any other company.509 certificate details. They provide the fields necessary for the application that uses the certificate. including those shown in Figure 3-9.6.

A CA needs to perform the following roles: ▲ Maintain a root certificate to distribute its public key. This infrastructure is made up of a variety of services and components.] ▲ Certificate templates Certificate Authority At the heart of the PKI is the certificate authority (CA). There’s more on choosing between a public or private CA a little later in this chapter. The certificate request is then submitted to the CA (through a website. ▲ Identify the certificate requestor and validate its identity. which verifies the information. PKI-enabled applications must be set up to trust the CA. Internet Authentication Service (IAS) for authentication. which verifies the information in the certificate and then digitally signs the certificate with its public key. from confirming that the requestor owns the DNS domain for his . signs the certificate if the information checks out. or other means). email. the CA is essentially making a statement that the person sending the certificate is who they say they are based on the proof of identity that the CA required. and services. computers. etc. as the following list illustrates: ▲ ▲ ▲ ▲ ▲ ▲ Digital certificates Certificate Authority Certificate revocation list (CRL) Technology to distribute certificates and certificate revocation lists Tools to manage the PKI Software that uses PKI [web browsers. The certificate request contains the public key of the requestor and the proper fields for the type of certificate requested.3. or RSA. EFS. virtual private network (VPN). This can vary from simply verifying that the domain is correct to doing a background check and having someone physically verify the identity of the requestor. A CA can be a public third-party CA like Verisign®. Routing and Remote Access Service (RRAS). ▲ Issue certificates to requestors. Requesting Certificates A certificate is created through a separate tool or a tool contained in a PKIenabled application. and returns the certificate to the requestor.6 PUBLIC KEY INFRASTRUCTURE (PKI) 101 validate the identity of users. Active Directory. which means that you trust the certificate. By signing the certificate. or you can set up a private CA in your own organization. web servers. ▲ Generate and maintain a CRL. Thawte™. ▲ Maintain a database of registered users (certificates issued). Verification can come in many forms.

The requestor then installs the certificate into his or her application to provide identity validation and encryption. If someone tries to alter the certificate. Start Internet Explorer. To view a certificate. 3. Click the Content tab. Of course. Social Security card. Configuring Trust You can view and configure certificates in PKI-enabled applications. Choose Tools and then Internet Options to open the Internet Options dialog box. The amount of verification depends on the type and use of the certificate. a certificate can’t vouch for the character of the person or company. but at least you know they are who they say they are. . or passport. Figure 3-10 The Content tab of the Internet Options dialog box.102 CRYPTOGRAPHY or her web application to requiring the requestor to meet in person with a representative and provide two or three forms of identification like a driver’s license. shown in Figure 3-10. you will be alerted by the PKI-enabled application (like a web browser) that participates in the PKI process because the hash in the signature will not match the one in the certificate. 2. 1. The clientside certificates used by Internet Explorer and Outlook® Express can be managed through Internet Explorer on Windows XP.

Double-click any one of the certificates listed in the list box to open the Certificate dialog box. Click the Certificates button to open the Certificates dialog box. Click the Trusted Root Certification Authorities tab. 5. Click the Details tab to view the fields that are contained in the certificate (refer back to Figure 3-9). shown in Figure 3-11. 4. Here.3. you need to analyze business requirements and make a number of decisions. You can add a trusted CA by clicking Import and selecting the CA’s certificate. shown in Figure 3-12.6.3 Designing a CA Hierarchy When determining how certificates will be used on your company’s network. In this section. we will give you an overview of what you need to consider when designing a certificates strategy. 7. 3. you will see all the certificates that are trusted. Well-known public CAs are listed by default. 6.6 PUBLIC KEY INFRASTRUCTURE (PKI) 103 Figure 3-11 The Trusted Root Certification Authorities tab of the Certificates dialog box. You will need to decide which applications will require certificates and . Determining Certificate Requirements Applications that use PKI will require a number of types of certificates to be installed.

You would also do so if you needed to deploy many certificates. Choosing Public or Private CAs After you have determined what applications you need to secure. The disadvantage to implementing a private CA is that it will likely require additional staff and servers to install and manage.104 CRYPTOGRAPHY Figure 3-12 The General tab of the Certificate dialog box. Table 3-2 lists some technologies that rely on certificates and the ways applications might use certificates. so clients will not have to complicate things by installing a certificate for your CA. You would have to also consider the methods for deploying the certificates. what types of certificates those applications will require. you will need to decide whether to implement a private CA or use a commercial CA (public CA). A commercial authority is widely trusted. Part of the application will require that private or sensitive information . There are different reasons you might choose one or the other. You also need to consider that users who are not employees of your company might not trust a privately implemented CA. You would use a commercial CA if you need to have a certificate trusted outside your organization. You would set up a private CA if you have the need to control and administer your own certificates. because doing so with a commercial CA would be costly. For example. suppose your company has built an application that will be used over the web.

6 PUBLIC KEY INFRASTRUCTURE (PKI) 105 Table 3-2: Common Technologies That Rely on Certificates Technology Client authentication Digital signatures Document encryption Applications Validating computers or clients on the network Signing a document to verify that it came from the appropriate user Securing files on the file system of a computer. The drawback is that you cannot administer your own certificates. Securing remote access to a network over a public network through encryption and authentication of machines Encrypting and signing email messages IP security (IPsec) Secure email (Secure/ Multipurpose Internet Mail Extensions. It is . A smart card is a special card that contains a digital certificate. Root CA role: The first CA you install in your organization is the root CA. you will need to choose the roles of the CA servers that you install. The root CA server is the ultimate CA in the organization.3. You would obtain a certificate from a commercial CA to implement SSL on your website because the commercial CA’s certificate will be listed as a Trusted Root CA in the client’s browser. Microsoft’s implementation of file encryption is EFS. Verifying the source of the code and ensuring the code has not been altered since it was released Software code signing be sent over the Internet. You have a choice of three different server roles: 1. Designing the Roles of Certificate Authorities When you establish a PKI in your own organization. verifying the identity of the website Verifying the identity of a server Providing authentication with smart card technology. or S/MIME) Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Server authentication Smart card logon Encrypting traffic to and from a website.

and issue certificates on its behalf. Therefore. you would install an issuing CA to enroll. The issuing CA is the server that needs to be available all of the time for proper CA functionality. This will reduce the number of times that the root CA’s private key is exposed. as shown in Figure 3-13. the same server acts as an intermediate CA and an issuing CA. and renew the certificates. The issuing CA is the CA that will communicate with the client applications and computers. Issuing CA role: After the intermediate CA. You should not go more than three levels deep with your CA design. 2.106 CRYPTOGRAPHY responsible for signing all other subordinate CA certificates. approve. and two levels will be adequate for most organizations. The intermediate CA can be used to certify requests for certificates. so it is recommended that it be kept offline. The role of the root CA is to authorize other CAs in the organization. 3. A three-tier hierarchy (shown in Figure 3-14) is more secure because it provides an extra layer of isolation between the root CA and the issuing CAs. a process known as self-signing. The root CA is very important and it would be detrimental to network security if it was stolen or compromised. The intermediate CA is also known as a policy CA. Figure 3-13 Root CA Intermediate and Issuing CA Intermediate and Issuing CA Two-tier CA hierarchy. then they trust the certificates issued by the root’s subordinate CAs. if your clients trust the root CA. The root CA is the only server role that trusts itself by signing its own certificate and issuing this root certificate to itself. With a two-level CA. . deploy. Intermediate CA role: The root CA can certify the subordinate CAs to accept. You will want to design for multiple CAs in your organization to provide availability and secure publishing points in your organization.

The security policy defines the security concerns of the . as long as you trust the root CA and it is kept secure. You should keep the root CA secure. 3. and the certification practice statement.4 Security Policy and PKI Implementation When designing a CA hierarchy. or a certificate path.6. Because the root CA issues the certificates used by subordinate CAs. Countries have different legal requirements for encryption and you need to make sure issued certificates do not violate these laws.3. then all certificates issued by the root CA or any subordinate can be considered invalid because someone can forge them. You build a chain of trust. when issuing certificates. If the root CA is compromised. The Security Policy The security policy is a document that defines the security practices that are used in the organization. Certain industries have requirements about how long documents must be kept. therefore. The certificate that a user or a computer receives can be trusted because the issuing CA received its certificate from another CA or directly from the root CA. you might find that legal requirements determine the type of hierarchy you choose. you can verify the identity of the certificate.6 PUBLIC KEY INFRASTRUCTURE (PKI) 107 Figure 3-14 Root CA Intermediate CA Issuing CA Issuing CA Three-tier CA hierarchy. encryption keys cannot be changed or recycled during that period. You need to create three documents to help determine the appropriate hierarchy for your organization: the security policy. the certificate policy.

You also can include authentication and identification methods for enrollment and renewal. You will also need to revoke certificates for people that leave the other organization or certificates that are lost on a smart card or computer. The security policy should include information about the PKI in use in the organization.inf file. On a Windows server. the types and versions of certificates that will be issued. the CPS can be published to the policy CAs through the use of a CAPolicy. their certificates. You could issue certificates from your own CA servers to users in the other organization.108 CRYPTOGRAPHY organization. The Certificate Policy The certificate policy defines how a certificate subject (user or computer) is verified before it is assigned a certificate. and applications that will require certificates. The other organization could be integrated into your CA hierarchy. The CPS will then be published to all subordinate CAs. It defines the users. You will need to have . operational requirements for the CAs in the organization. the types of actions that can be performed with the certificate. The drawback to this is that you will need to manage the certificates for the other organization. where the private keys will be stored (separate hardware device or a computer hard drive). and what resources the organization wants to dedicate to security. what it needs to protect. the audit policy for ensuring that the CPS is followed. and the procedures for securing CAs in the organization. you would issue and revoke certificates from your own CAs. the maximum monetary or intrinsic value that can be protected by this certificate. This means that you need to decide on a method to securely distribute certificates to the other organization. while the certificate policy defines the procedures for managing certificates. computers. and any additional requirements surrounding a certificate that is issued in your organization.6. the process for responding to lost keys. the obligations and liabilities of the organization with regard to the CA hierarchy. the enrollment and renewal process. and the legal liabilities if the different certificates are compromised. the level of trust that each certificate should have.5 Trusting Certificates from Other Organizations There are situations in which you need to trust users in other organizations. If you need maximum control over who gets a certificate or you don’t trust the security policies of the other companies. You use this information to document procedures and practices with regard to CAs. The CPS essentially defines the management of the CAs used in the organization. 3. The Certification Practice Statement (CPS) The Certification Practice Statement (CPS) is a document that specifically defines how to implement the certificate policy on the organization’s CA hierarchy.

The law firm is aggressively growing. There is an alternative to having to manage the certificates for the other organization: Have the other organization manage their own certificates and trust the certificates that they issue. Many organizations will not be ready to take on that much coordination and overhead. This law firm has its own PKI in place to support its applications and twofactor authentication. which means it is merging with other law firms to increase its size and caseload.3. This means that users will be able to gain access to the information in each domain with the minimal amount of work for Jenny and her staff. VanderDoes and Fenton just purchased a new application that allows its clients to view the progress of a case from a website. VanderDoes and Fenton recently acquired a medium-sized law firm. which will constitute greater cost. it would be faster to set up a cross-certification so that each PKI trusts the root from the other organization. Because VanderDoes and Fenton has an existing PKI. She decides to require 128-bit encryption to maintain security over the Internet to the application. The lawyers from both firms are pushing for access to each other’s systems and the clients want access to the website.6 PUBLIC KEY INFRASTRUCTURE (PKI) 109 processes in place to manage changes in the organization that will impact the CA hierarchy. She authenticates the clients through the web server with basic authentication over SSL. rather than reissue all the lawyers’ and personnel certificates from their CAs. but they want assurances that their transactions will be secure. FOR EXAMPLE Establishing a Cross-certificate Trust Jenny is in charge of security at VanderDoes and Fenton. . In addition to the acquisition. The law firm takes security very seriously and has a PKI for two-factor authentication and wireless authentication of clients. You can establish cross-certification to trust the certificates that are issued in the other organization. Jenny decides that. The two CAs would exchange crosscertificates to enable users in each organization to interact securely with each other. She also decides to lease a certificate from a commercial CA to provide SSL to the web application. Cross-certification will allow two organizations to trust each other and rely on each other’s certificates and keys as if they were issued from their own certificate authorities. a large law firm in Philadelphia.

The types of user. service. the client computer operating system. and where the CAs are located in relation to the clients. Also.6.6. computers.110 CRYPTOGRAPHY 3.6 Creating an Enrollment and Distribution Strategy You eventually will need to decide how to issue certificates to the users. If you are running different CA software. A stand-alone CA will only support web-based enrollment or command-line enrollment. and services that participate in the PKI. you can choose to keep the same public/private key or generate a new key pair. The process of requesting and installing the certificates for the user. the issuing policy requirements. or computer accounts that will receive the certificates: You need to determine if the accounts or computers are connected to Active Directory.7 Renewing Certificates Certificates are issued for a finite lifetime. 2. A root CA should always be installed as a stand-alone CA because an enterprise CA cannot be taken offline. When you renew a certificate. are the accounts contained in your organization or external to your organization? 3. 3. your enrollment options will be limited to those supported by that software. depending on the type of CAs. because autoenrollment by a CA running Microsoft’s Certificate Services is supported by only Windows XP and Windows Server 2003. non-Windows operating systems will need to use the web page for enrollment. The longer a key is active. You can reduce the risk of key compromise by renewing the public/private key combination each time you renew a certificate instead of at the maximum lifetime of the key pair. the more vulnerable it is to being compromised. and supports autoenrollment for certificates and the use of Group Policy (Active Directory’s centralized management technology for user and computer configuration settings) and certificate templates to control the request and deployment of certificates. There are many types of enrollment methods that you can use. The type of CA you will be running: Certificate Services supports two types of CAs: a stand-alone CA and an enterprise CA. The client’s operating system: The underlying operating systems for the participating clients will affect the means you can use to enroll and renew a certificate. The enrollment strategy you use depends on three factors: 1. For example. The lifetime of the certificate will depend on the type of certificate and the policy that the CA has set for the certificates. At . which means that they will expire. computers. Certificates will need to be renewed when the lifetime ends. or services is called the enrollment strategy. The enterprise CA is integrated with Active Directory (the directory system used by Windows 2000 and Windows Server 2003).

but the following is a list of possible reasons: ▲ The CA has been compromised. you should never renew the certificate past the lifetime of the key pair. Perhaps you have a need to update information in the certificate. if the certificate has a weaker key or is used more frequently. You can invalidate a certificate on the CA and then publish the CRL (certificate revocation list) to the root CA and subordinate CAs.6. CAs also have certificates that are issued from their parent CA or. you should always generate a new key pair. You can also increase the length of the key when you renew a certificate. You will need to come up with a strategy to renew the CA certificates or any certificate before they expire. 3. It is recommended that the key length be somewhere between 1024 and 4096 bits.8 Revoking a Certificate Sometimes you might have a problem with a certificate—for example. There are many situations that can cause you to revoke a certificate. When these certificates expire. all subordinate CAs’ certificates expire. On the other hand. You can continue to renew the signature for the certificate up to the issuing CA certificate’s lifetime. If the certificate is captured it will be nearly impossible to crack the strong key.6 PUBLIC KEY INFRASTRUCTURE (PKI) 111 the least. in the case of the root CA.3. the CA can no longer issue certificates and all certificates that the CA issued will expire. you will want a shorter lifetime. to itself. This means you can use the renewal process to strengthen the key if you determine that it no longer meets your security policy. You should remember that when a CA’s certificate expires. all subordinate CAs’ certificates will need to be renewed. because a potential cracker won’t have many opportunities to capture them. This will allow clients to download the revocation list and verify that the certificate is still valid if it is not on the list. The following questions need to be answered before you can determine a renewal strategy for your certificates: ▲ Which certificates are you allowed to renew? ▲ How often can a certificate be renewed before its key is retired? You can justify longer lifetimes for certificates if they are infrequently used and have strong keys. ▲ A new certificate that replaces the previous certificate has been issued. ▲ You have decommissioned or replaced the CA. You should renew these certificates more frequently but never beyond the lifetime of the CA certificate. . When you renew a CA’s certificate. ▲ The private key has been compromised. When renewing CA certificates. the private key might be compromised or an employee might quit and you no longer want the certificate to be valid.

You recommend that the company purchase the SSL certificate because it needs to be verified by users who are not employees and will not trust the company’s CA. You can configure clients to check the CRL before they accept a certificate. 2. These CAs will issue EFS certificates and S/MIME certificates. If you are running Microsoft Certificate Services. The client can then be configured to either reject the connection or just show a warning box that will state that the certificate has been revoked and ask if the user would like to proceed. The location will be stored in the certificate. Applications must be configured to check the CRL at the publishing point chosen. you can publish the revocation list to either the Active Directory or a website. Compare a Certification Practice Statement (CPS) and a certificate policy.112 CRYPTOGRAPHY FOR EXAMPLE Designing a CA Implementation You are designing a CA strategy for your company. The company has 500 employees. About half the employees telecommute from various locations around the world. You publish the CRL to a web site so that it is accessible by the telecommuters. You recommend that the company install a root CA and two issuing/intermediate CAs for fault tolerance. You recommend that the root CA be installed as a stand-alone CA and taken offline. You will need to revoke the certificate(s) before publishing the CRL. SELF-CHECK 1. Describe the chain of trust. You recommend web-based certificate enrollment to support the telecommuters and allow all users to enroll through a standard mechanism. . The certificate will include the location of the CRL. It also needs to issue certificates for EFS encryption and email encryption internally. The company needs to use a certificate to secure communication on its public web server using SSL. so this means that the application will need to support the chosen publication point.

You learned a little about early cryptographic efforts and their vulnerabilities. and hashes.inf file Certificate Certificate Authority (CA) Certificate path Certificate policy Certificate Practice Statement (CPS) Certificate request Certificate Revocation List (CRL) Certificate template Chain of trust CIA Cipher block chaining (CBC) Cipher feedback (CFB) Cipher text Computationally secure Confidentiality Cross-certification CRHF Cryptanalysis Cryptanalyst Cryptographic primitives Cryptography Data Encryption Standard (DES) Depth Diffie-Hellman key exchange Digest Digital certificate Digital signature Discrete logarithm problem Electronic Code Book (ECB) Encrypting File System (EFS) Enigma Enrollment strategy Enterprise CA Frequency analysis Group Policy Hash Hash collisions Hash function . asymmetric encryption. KEY TERMS Active Directory Advanced Encryption Standard (AES) Algorithm Asymmetric encryption Authentication Block cipher Blum-Blum-Shub pseudorandom generator Brute force methods CAPolicy. Next you learned about the four primitives of cryptography: random numbers. you learned about PKI and the things you need to consider when designing a CA implementation. symmetric encryption. Finally.KEY TERMS 113 SUMMARY In this chapter you learned the fundamentals of cryptography and PKI.

114 CRYPTOGRAPHY Integrity Intermediate CA Issuing CA Kerberos Key Key agreement protocol Message Digest-5 (MD5) National Institute of Standards and Technology (NIST) National Security Agency (NSA) One-time pad Output feedback (OFB) Padding Plain text Policy CA Polyalphabetic substitution Pre-shared secret Private key Propagating cipher-block chaining (PCBC) Pseudorandom numbers Public key Public key infrastructure (PKI) Purple Rijndael Root CA RSA RSA pseudorandom generator S/MIME Salting Self-signing SHA-1 Shift Single-key encryption Smart card Stand-alone CA Stream cipher Subordinate CA Substitution cipher Symmetric encryption Triple DES (3DES) UOWHF Vigenere cipher X.509 certificate XOR function .

Which CA has a self-signed certificate? (a) Intermediate CA (b) Issuing CA . depth. Which of the following is a hashing algorithm? (a) AES (b) DES (c) SHA-1 (d) PGP 9. To use the Diffie-Hellman key exchange. The only way to crack a substitution cipher is with frequency analysis. What is the primary drawback of asymmetric encryption? (a) It is easier to crack than symmetric encryption. availability 3. integrity. symmetric encryption. Measure your learning by comparing pre-test and post-test results. True or false? 2. (c) It does not offer confidentiality. authentication (b) Random number generation. Which of the following is a symmetric encryption algorithm that can use key sizes of 128. 192.wiley. A stream cipher provides integrity. integrity. 8. True or false? 5. asymmetric encryption. Summary Questions 1. True of false? to evaluate your knowledge of cryptography and public key infrastructure (PKI). or 256 bits? (a) AES (b) DES (c) 3DES (d) RSA 4. both parties agree to use the same prime and base. predictability (d) Confidentiality. (b) It does not offer authentication.SUMMARY QUESTIONS 115 ASSESS YOUR UNDERSTANDING Go to www. hash functions (c) Key strength. A stream cipher requires padding. True or false? 7. (d) It is slower than symmetric encryption. What are the cryptography primitives? (a) Confidentiality.

14.116 CRYPTOGRAPHY 10. Some users send email that must be authenticated. the company has a website that customers use to view product information and place orders. You are designing a cryptography and public key strategy for Busicorp. how will you configure the root CA? (h) Where will you define the company’s policy for revoking S/MIME certificates? . 13. True or false? When a CA’s certificate expires. all certificates issued by that CA expire. In addition. The company has identified some files it considers confidential and others that require integrity. (g) Assuming you are creating a CA hierarchy using Microsoft Certificate Services. (c) Policy CA (d) Root CA Which policy defines the process for responding to a user losing a private key? (a) Certificate policy (b) Certification Practice Statement (c) Security policy A cross-certification must be established before a computer will trust a well-known CA. True or false? At most. 11. (a) Why is it preferable to use longer keys when encrypting data? (b) Why should you use symmetric encryption to encrypt data instead of asymmetric encryption? (c) How can you ensure that emails can be authenticated? (d) How can you ensure that the contents of emails are not changed during transit? (e) Which requirement should be met by purchasing a certificate from a well-known third-party CA? (f) Describe the advantages and disadvantages of a three-tier hierarchy. you will need to try how many combinations to crack a substitution cipher? Applying This Chapter 1. True or false? An enterprise CA can be taken offline. 12.

Have you ever encrypted a file using EFS? Why is symmetric encryption used instead of asymmetric encryption? 117 . What protections does driver signing provide? 5.YOU TRY IT Cryptology and PKI in Your Environment 1. Windows XP supports driver signing. The digital signature is created from a hash of the driver. What are some reasons why a certificate might not be verifiable? 2. Have you ever visited a website and received an error message stating that the certificate could not be verified? Think about how you responded. You can locate drivers that do not have signatures using a tool named sigverif. Would you respond differently now? Why or why not? 2.

4 AUTHENTICATION Starting Point Go to www. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ The purpose of authentication Authentication credentials Authentication protocols Password best practices Limiting logons Authentication auditing After Studying This to assess your knowledge of authentication. Determine where you need to concentrate your effort.wiley. You’ll Be Able To ▲ ▲ ▲ ▲ Identify security principals that require authentication Describe how user account information is stored Choose appropriate credentials to meet authentication requirements Choose an appropriate authentication protocol to meet authentication requirements ▲ Implement password policies ▲ Limit user logon by time and workstation ▲ Enable auditing for authentication attempts .

An authenticated user or computer is known as a security principal. we’ll focus on authentication. and the credentials will be validated by the computer where the user is logging on. We’ll look at the points you need to consider when designing an authentication strategy.4. which computers will perform the authentication. Users might authenticate locally. . let’s look at some potential requirements for authentication on a network.1 Interactive Logon Most operating systems today support multiple users. a user). Servers need to be authenticated by clients to mitigate the risk of an attacker setting up a server that impersonates a legitimate resource. starting with the simplest example. some applications might have specific authentication requirements. a heterogeneous environment (a network environment that runs multiple operating systems) can add a level of complexity to your design considerations. If the computer is not a network member or is a member of a peer-to-peer network (a network without centralized security). In this chapter. such as a website or File Transfer Protocol (FTP) server. 2. there might be several different authentication methods used. and applications that contain their own authentication mechanisms. You must even consider the level of remote access that you intend to support. This means that a user must log on to the computer. You also need to consider which computers need to be authenticated. Authentication: the process of verifying an identity (for example. 4. remotely.1 AUTHENTICATION OVERVIEW 119 INTRODUCTION A key part of securing a network is ensuring that only users who should access the network can access it. logging on interactively to a computer. There are really two parts to that process: 1. including who and what must be authenticated. the credentials users will use to prove their identities. 4. Authorization: the process of determining the resources the user can access once authenticated. and the protocols that will be used to send credentials across the network. or over the Internet. This includes services that your company exposes.1. In addition. the user will supply credentials (proof that the user is who he or she claims to be). Obviously. Before we move on to discuss the details of credentials and authentication protocols.1 Authentication Overview You must consider the authentication requirements of your entire organization when designing the authentication infrastructure. but even on a homogenous network.

If the user is logging on to a computer that is a member of a domain (a security boundary in a Windows network that uses centralized or directory-based security). Domain controllers running Windows 2000 Server or Windows Server 2003 store the credentials in the Active Directory® database (a hierarchical database of network objects. Authenticating a computer ensures that . or Windows Server 2003 are stored in the Security Accounts Manager (SAM) database.3 Computer Authentication Some security architectures also require computers to be authenticated on a network. A Linux computer can authenticate users using a number of different methods. which uniquely identifies the user. When Windows XP is not a domain member. a dialog box like the one shown in Figure 4-1 will prompt the user for logon credentials. groups. and computers).1. When centralized security is used.1. Some versions of Linux include pluggable authentication modules (PAMs). A Linux computer can also take advantage of several different network authentication protocols to allow for centralized authentication. User accounts can be created in the /etc/passwd file or the /etc/shadow file. When a user attempts to access a resource on a peer server. a domain member must be authenticated by the domain controller. This is known as secondary logon and is a good way for administrators to ensure that a security context that has a large number of permissions is used only when required. you can share resources using simple file sharing (a type of file sharing in which the Guest account is used to access files and the user is not actually authenticated) or user-based access control (a method in which a user is authenticated and the user’s SID is used to determine resource access permissions). Users can change the security context for a specific application by using the Run As command and supplying a different set of credentials. but also provides the credentials that will be used for accessing resources on the network. the user is authenticated by the domain controller (the server that stores the database or directory of user credentials). 4. which are interfaces that provide a standard interface for using a variety of authentication protocols. resources can be shared on any peer. including users. This is known as single sign-on. on an Active Directory network. the logon not only provides the security context that will be used for the interactive logon. Domain controllers on a computer running Windows NT® store the credentials in the SAM. A user’s logon credentials are associated with a security identifier (SID).2 Peer-to-Peer Network Logon In a peer-to-peer network. For example.120 AUTHENTICATION Credentials for local user accounts on a computer running Windows® 2000. Windows XP. 4. The SID determines the security context under which all the applications the user launches run.

It is important to keep in mind that computers running Windows 95. authenticates the web server. not an imposter. and. if it is. on a schedule. Windows 98. Although computer authentication is used for all domain members. However. the computer is the computer it claims to be. When a computer is added to an Active Directory domain. It does so by providing a certificate as its credential.4 Mutual Authentication So far we have discussed only one-way authentication. the other party’s identity is still not known. The browser checks to make sure the certificate authority is trusted. The web server must prove its identity to the browser when using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). One-way authentication ensures that one party in the conversation (usually the one requesting access) is who it claims to be. Windows Me. behind the scenes. 4. it is assigned an SID and a password. including security settings. Another example of when you would use computer authentication is when accessing a secure website.1 AUTHENTICATION OVERVIEW 121 Figure 4-1 Logon dialog box. Mutual . this can be managed through Local Security Settings (see Figure 4-2) or centrally. A GPO is an Active Directory object that is used to centrally manage user and computer configuration settings.4. it is especially important for servers because it helps prevent man-in-the-middle attacks. Security Options. and Windows XP Home cannot be added as domain members. leaving the network open to spoofing attacks or man-in-the-middle attacks. The password is changed automatically.1. which is set through the Domain member: Maximum machine account password age policy via Local Policies | Security Options. through Group Policy Objects (GPOs).

you could use a client certificate (a digital certificate requested by and issued to a computer that acts as a client in a session) to validate the client computer’s membership. . Let’s look at the example of the secure website that uses either SSL or TLS. The example is illustrated in Figure 4-3. the server and client know that they can trust that neither one is an imposter. authentication helps solve this problem by requiring that both parties in the conversation provide authentication credentials. In this case.122 AUTHENTICATION Figure 4-2 Local security settings. Suppose that the website can only be accessed by users who are members of an organization. Figure 4-3 Client certificate Client computer Web server Server certificate Mutual authentication using SSL or TLS. Because the server and the client have exchanged certificates and verified that they both trust the respective issuing authorities.

The authentication methods are described in Table 4-1. such as online banking or a members-only application. Database servers. the application might access that server using its own credentials. Instant messaging applications. In this case. Instead. such as Windows Live™ authentication (formerly known as Microsoft® Passport. The following are some examples: ▲ ▲ ▲ ▲ ▲ ▲ Secure websites. The company wants to authenticate users each time they log on. E-commerce applications. You need to allow maximum compatibility with different browsers. or it might impersonate the user by passing the user’s credentials to the database server. it uses the security context of the IUSR_computername account to execute the web application. Email servers.5 Application Authentication Some applications require users to be authenticated before they can access features of the application. Your next step is to select one or more authentication methods to use. Others might use a public central authentication service. You determine that you should disable anonymous access because anonymous access does not authenticate the user. FOR EXAMPLE Authentication on Internet Information Services (IIS) Busicorp would like to provide paid subscribers with access to an online education forum.4. such as a database server. or . Still others might implement their own authentication by storing credentials in a proprietary database or file.NET Passport). This setting is appropriate for websites with public content. The user accounts will be created and stored in the SAM database on the web server. The website’s authentication methods are currently configured as shown in Figure 4-4. Applications use a variety of methods to authenticate users. Sometimes an application needs to access another server. The forum is a web application running on IIS. Some use the authentication methods of the operating system on which the application is run. You decide that none of these authentication methods meet your needs and determine that you will need to issue client certificates to (Continued) .1 AUTHENTICATION OVERVIEW 123 4. Other applications might use digital certificates to provide authentication. Online accounting applications.1.

. Identify the location used to store user credentials on a computer running Windows XP Professional. Users will be authenticated using the client certificates when they log on. Figure 4-4 Website authentication methods. 3. You map the client certificates to user accounts in the SAM database. Describe the purpose of a pluggable authentication module.124 AUTHENTICATION paid subscribers. 2. You also install Certificate Services on your web server and provide a link that allows users to request and install client certificates after they have paid. SELF-CHECK 1. You purchase an SSL server certificate from a thirdparty certificate authority. Identify the type of authentication you can use to help guard against man-in-the-middle attacks. The server will be authenticated using the server certificate.

2 AUTHENTICATION CREDENTIALS 125 Table 4-1: IIS Authentication Methods Authentication Method Integrated Windows authentication Description Authenticates users using either Active Directory or the local account database. such as a PIN number (something you know) in conjunction with an ATM card (something you have). Requires Internet Explorer. a user or computer supplies credentials that can be used to prove identity. Authenticates users using Active Directory. such as a personal identification number (PIN) or password. For example. Does not require Internet Explorer. 4. two-factor authentication refers to using two of the three factors. Obviously. such as an ATM card. and brute force attacks. Sends credentials as a hash. Sends credentials as clear text. ▲ Something you have. Authenticates users using Windows Live.2. The following are the types of credentials that can be used: ▲ Something you know. such as social engineering attacks. using more than one factor adds additional credence to the authentication process. A clear written policy on password .4.NET Passport authentication 4. this factor is known as type 2 authentication. this factor is known as type 3 authentication. Authenticates users using either Active Directory or the local account database. this factor is known as type 1 authentication. or smart card. certificate. they are also the most vulnerable to attacks. Sends credentials as a hash. Digest authentication Basic authentication . such as a fingerprint or retina scan. dictionary attacks. Works with most browsers. During the identification process. However.1 Password Authentication Passwords are the most common way for users to provide credentials. ▲ Something you are (physically).2 Authentication Credentials The first step in authentication is identification.

Figure 4-5 LC4 password recovery. . you will need to make sure that the credentials being transmitted are encrypted to prevent passwords from being sniffed. A passphrase is longer than a password and can contain spaces. Some best practices for password-based authentication are provided later in the chapter. other types of IIS authentication are not supported by most browsers. The clear text transmission is usually a result of IIS being configured to use basic authentication method when receiving the credentials from the user. Unfortunately. Some authentication systems use a passphrase instead of a password. Passwords are particularly vulnerable to discovery by network sniffers if they are passed over the network in clear text. If you allow users to log on to your network from outside of the office.126 AUTHENTICATION best practices and an automated policy that requires strong passwords can help mitigate these types of attacks. You can secure this type of remote access by using SSL to encrypt all of the traffic to your Internet site or by requiring that all access to the network’s resources be made through a virtual private network (VPN) connection. The passphrase is converted into a virtual password by the system.

You’ll need to make sure that you have appropriate policies in place to prevent this type of software from getting installed. calendar. InnaTech has enabled Outlook Web Access (OWA). an Internet-facing server that allows access to Microsoft Exchange through HTTP . the company changed the OWA server to use SSL. FOR EXAMPLE Intercepting Passwords Sent in Clear Text Jim is a traveling salesman for InnaTech banking software and he accesses his email remotely. Another potential password vulnerability is that the password could be intercepted by a keystroke logging program as the user enters it using the keyboard. accessed Jim’s email account. and the credentials will be in clear text. You can minimize its usefulness by not storing passwords on the local machine and by preventing its installation on a machine that has access to your network. Because InnaTech uses both basic authentication and an insecure communications channel. in many cases his neighbors would be able to sniff his network packets traveling to and from his provider. and has made it available outside the corporate firewall. There are several Trojan horse applications (software that pretends to be a legitimate application. making them less likely to be discovered by a competitor. and obtained important information about prospective customers. After a competitor intercepted Jim’s password. Now the passwords and the email will be sent as encrypted text. anyone on the network that Jim uses to check his email would be able to sniff his credentials from the network. most passwords are broken in the first few minutes.2 AUTHENTICATION CREDENTIALS 127 There are also products that need only the hash of the password in order to break the password. and contacts from anywhere. Using a utility like LC5. To prevent this from happening in your organization you’ll want to make sure that the password hashes are not sent across the network. where he has cable modem access. The IIS web server is configured to use basic authentication through HTTP (port 80) so that Jim and the other salespeople can access their email. You can see a previous version of LC5 in Figure 4-5 after only a few seconds of processing a typical network password list. One example of this is L0phtcrack (currently called LC5). but that is actually performing malicious tasks) or keystroke logging utilities that store and forward passwords to an attacker. which can sniff the hash on the network and then attack it using dictionary or brute force attacks. . including from his home. If Jim uses his home computer. They could also be sniffed from a wireless network at a coffee shop or in an airport.4.

the risk is not completely eliminated. The user will periodically be required to reenter the current one-time password. This data usually consists of digital certificates and the user’s private keys. The RSA SecurID generates a new one-time password every sixty seconds. Smart cards use a two-factor authentication mechanism that requires the user to enter a PIN.3 Smart Cards A smart card is a card that has a chip in it that securely stores data. such as storing digital signatures or storing a username and password. Therefore. generated based on the current time. and software that can be installed in mobile devices.2.2 One-Time Passwords A one-time password is a password that can be used only for a short amount of time (generally seconds) or for only a single logon.128 AUTHENTICATION FOR EXAMPLE RSA® SecurID® Authenticators RSA SecurID authenticators use a one-time password. in conjunction with a PIN.2. You can also require smart card authentication for a specific user in an Active Directory domain by displaying the Account tab of the user’s Properties dialog box and selecting the “Smart card is required for interactive logon” checkbox (see Figure 4-6). In addition. USB flash drive. One-time passwords are normally implemented using a hardware token. The main drawback to smart card authentication is that each workstation must have a smart card reader. to provide two-factor authentication. the certificates and keys are not accessible to someone if they were to steal the smart card without the user’s PIN. Some hardware authenticators offer additional features. If the intruder intercepts the password and uses it immediately. And knowing the PIN without possessing the smart card will also not allow an attacker to authenticate. credit-card sized device. You can require smart card authentication on a Windows 2000 (or later) computer by enabling the Interactive logon: Require smart card policy in Security Options. It is generated using a symmetric key and a pseudorandom number. the attack will be successful. One-time passwords can be generated using one-way functions that return the next password in a sequence. They are available in a number of different models. such as personal digital assistants (PDAs) and smart phones. 4. like any security measure. 4. including a key fob. or generated based on a response to a challenge. A one-time password generated based on the current time helps to mitigate the risk of man-in-the-middle attacks. However. you need to implement a public key .

You will also need to assign one or more employees the job of verifying credentials and issuing smart cards. An example of this mode is matching an employee’s . For identification. An example of a one-to-many search is trying to match a suspect’s fingerprints to a database of fingerprints of people living in the United States. 4.” Biometrics is useful in both identification and authentication modes. biometrics is applied as a one-to-many search of an individual’s characteristics from a database of stored characteristics of a large population.4 Biometrics Biometrics is defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics.2. infrastructure (PKI) with a Certificate Authority (CA) that can issue smart card certificates and a certificate enrollment station. Conversely. authentication in biometrics is a one-to-one search to verify a claim to an identity made by a person.4. Biometrics is a type 3 authentication mechanism because it is based on what a person “is.2 AUTHENTICATION CREDENTIALS 129 Figure 4-6 Requiring smart card authentication for a user.

FOR EXAMPLE Implementing Multifactor Authentication Your company has a research and development department that performs highly sensitive operations. Your boss asks you for a recommendation. The following are examples of performance measures: ▲ Type I error or false rejection rate (FRR): the percentage of valid subjects that are falsely rejected. Even with all the password procedures in place. and a policy is in place to require users to choose strong passwords and change them every 45 days. . but you cannot be sure. and there are no more problems with security breaches in the research and development department. The following are typical biometric characteristics: ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Retina scans Iris scans Fingerprints Facial scans Palm scans Hand geometry Voice Handwritten signature dynamics Performance measures of a biometric system range from technical characteristics to employees feeling comfortable with their use. You recommend issuing smart cards to the users in the research and development department and changing their user accounts so that they require smart card authentication. The company implements your suggestion. The company creates a deployment plan to deploy smart cards to all users within the next three years. ▲ Type II error or false acceptance rate (FAR): the percentage of invalid subjects that are falsely accepted. The company’s current network is configured as an Active Directory domain. You suspect the breach occurred as the result of a social engineering attack. Users are authenticated using passwords.130 AUTHENTICATION fingerprints against the previously registered fingerprints for that employee in a database of the company’s employees. a user in the research and development department’s password was obtained by a competitor.

4. The authentication protocols supported on your network depend on the operating systems running on the clients and the servers. Kerberos.3 Authentication Protocols The authentication protocol defines how the credentials are stored on the authentication server and passed between the client and the server. the better the biometric system. the Security Support Provider Interface (SSPI) will determine which authentication protocol . a concern with retina scanning systems might be the exchange of body fluids on the eyepiece. our discussion will primarily focus on the authentication protocol that has become a standard. The smaller the CER.3 AUTHENTICATION PROTOCOLS 131 ▲ Crossover error rate (CER): the percent in which the FRR equals the FAR. In Windows 2000 and higher.4. ▲ Acceptability: the considerations of privacy. Another concern would be the retinal pattern. Describe the benefit of one-time passwords. Describe the criteria that are considered when determining the acceptability rating for a biometric authentication. 4. such as the onset of diabetes or high blood pressure.1 LAN Manager-Based Protocols Windows 2000 Server and Windows Server 2003 support both LAN Managerbased protocols and Kerberos. invasiveness. 3. An acceptable enrollment time is around two minutes. 2. However.3. which could reveal changes in a person’s health. In this section we’ll discuss various authentication protocols. For example. SELF-CHECK 1. and psychological and physical comfort when using the system. Acceptable throughput rates are in the range of 10 subjects per minute. ▲ Throughput rate: the rate at which the system processes and identifies or authenticates individuals. ▲ Enrollment time: the time it takes to initially register with a system by providing samples of the biometric characteristic to be evaluated. Name the type of credential that provides two-factor authentication.

NTLM version 2 (NTLMv2) LAN Manager The LAN Manager protocol is used by older Microsoft operating systems such as MS-DOS® and Windows 95. or simply require that passwords be greater than 14 characters long. Windows 95.132 AUTHENTICATION should be used for account validation. LAN Manager authentication protocol is the least secure method supported in Windows 2000 Server and Windows Server 2003 and therefore should be used only if the computers must access resources being served by computers running MS-DOS. Windows NT LAN Manager (NTLM) 3. The three LAN Manager-based protocols are as follows: 1. LAN Manager 2. . You should remove the hashes by enabling the Network security: Do not store LAN Manager hash value on next password change policy in Local Security Policy or Group Policy (see Figure 4-7). you should remove the LAN Manager password hashes from the account database. Figure 4-7 Disabling LAN Manager hashes. if your organization does not require LAN Manager. The LAN Manager protocol has a maximum password-length restriction of 14 characters. Therefore. or Windows 98 operating systems. The one-way function algorithm for LAN Manager passwords is weak and can easily be cracked.

. NTLMv2 is the default authentication protocol for Windows Vista™.4. This protocol is also available for Windows 95 and newer Microsoft operating systems if the Active Directory client extensions are installed. The NTLMv2 protocol can perform mutual authentication.0 domains and for local SAM accounts in Windows 2000 and Windows XP. NTLMv2 The NTLMv2 protocol is the most secure of the LAN Manager-based protocols in Windows 2000 and Windows XP. NTLM is the default authentication protocol for Windows NT 4. as shown in Figure 4-8. NTLM hashes are vulnerable to L0phtCrack. The maximum password length is also 256 characters.3 AUTHENTICATION PROTOCOLS 133 NTLM The NTLM protocol does a better job of storing passwords than LAN Manager. There is no way to disable NTLM-based authentication completely in Windows 2000 or Windows XP. Figure 4-8 Setting LAN Manager authentication level. Selecting Which LAN Manager Protocols are Supported You can select how the computers in your environment will use the LAN Manager and NTLM authentication by configuring the LAN Manager compatibility level through the Network security: LAN Manager authentication level policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ in Local Security Policy or Group Policy. storing them as an MD4 hash. The LAN Manager compatibility levels are described in Table 4-2.

NTLM. current versions of Novell® NetWare®. third-party authentication protocol that authenticates clients to other entities on a network and provides a secure means for these clients to access resources on the network. and RFC 1510 is now considered obsolete. The operation of Kerberos was clarified under RFC 4120. . NTLM. and NTLMv2 Accept LAN Manager. Kerberos allows an Active Directory network to interoperate with Unix-based operating systems by creating a trust relationship with a Kerberos realm. and NTLMv2 Accept NTLM and NTLMv2 Accept NTLMv2 4.3. and NTLMv2 Use NTLM and NTLMv2 Use NTLMv2 Use NTLMv2 Use NTLMv2 Authenticating Servers Accept LAN Manager. When coupled with strong passwords. The Kerberos v5 authentication protocol is the default authentication protocol for computers running Windows 2000 or higher that are in Active Directory domains and authenticating to Windows 2000 or Windows Server 2003 domain controllers.134 AUTHENTICATION Table 4-2: LAN Manager Compatibility Levels Level 0 1 2 3 4 5 Clients Use LAN Manager and NTLM only Use LAN Manager. It was developed under Project Athena at the Massachusetts Institute of Technology. NTLM. NTLM. A trust relationship is an association that allows computers and users in Domain A to trust computers and users in Domain B based on their authentication by an authentication server in Domain B. NTLM. is an authentication protocol based on symmetric key cryptography.2 Kerberos Kerberos. the Kerberos v5 protocol is considered the strongest authentication protocol in the Windows arsenal. and Macintosh® operating systems. The Kerberos protocol supports smart cards for multifactor authentication and adheres to RFC 1510. It is a trusted. named after the three-headed dog that guards the entrance to the underworld in Greek mythology. A security border in Kerberos is known as a Kerberos realm. and NTLMv2 Accept LAN Manager. Kerberos is an industry standard and is also supported by Unix®-based operating systems. and NTLMv2 Accept LAN Manager.

however. .0 or upgrade their operating systems to Windows 2000 or XP Professional. She has asked you to identify any potential problems and incompatibilities that might result from this implementation and how would you rectify them. Your manager wants to implement NTLMv2 as the least-secure protocol that will be accepted by the domain controllers in your Dover. To resolve the problems stated. and you cannot require the users in that office to have more than a single logon. You must also incorporate the Unix servers in San Francisco into your network strategy. LW&A has upgraded all of its domain controllers to Windows Server 2003. Each office has its own IT staff that reports to the corporate IT staff located at the corporate headquarters in Dover. LW&A has offices in Dover.4.000 employees nationwide. and Minneapolis offices to ensure a secure computing environment. All servers are running Windows Server 2003 and all workstations are running Windows XP Professional. The office in San Francisco was recently acquired from a competing firm and has two Unix servers.0 Workstation. You tell your manager that there are no issues with regard to Dover and Minneapolis. and San Francisco. All other servers in San Francisco are running Windows Server 2003 and all of the workstations are running Windows XP Professional. Miami. The offices in Dover. and Windows NT 4. The Unix servers run specific software that the employees in the San Francisco office need to access. The users at the San Francisco office must be able to access the data and the services published from the Unix servers. Philadelphia. you use Kerberos v5 authentication and create a trust relationship between the San Francisco domain and the Kerberos Unix realm. but there are still some desktops running Windows 98. To accomplish this. Minneapolis. and Minneapolis are all running Windows XP Professional. Each office has its own domain. and Windows NT 4.3 AUTHENTICATION PROTOCOLS 135 FOR EXAMPLE Designing Client Authentication Luke Worrall & Associates is a national accounting firm with over 12. Philadelphia. and Windows NT 4. the Windows 98. you would need to install the Active Directory client extensions on the machines running Windows 98.0 workstations cannot authenticate using NTLMv2. Second Edition. The office in Miami has mostly Windows XP Professional. There are several different operating systems that employees use. Miami. which natively support NTLMv2. and requiring NTLMv2 as the least-secure protocol that will be accepted on the servers in Miami will prevent these older operating systems from authenticating to the domain. LW&A is in the process of standardizing on Windows XP Professional. Second Edition. In Miami. Second Edition.

keep in mind that similar controls can be implemented through other network operating systems. List the authentication protocols that can perform mutual authentication. 2. Authentication service (AS): responsible for authenticating a user or computer and responding with a session key. which can be used to request tickets to access resource servers. 2.136 AUTHENTICATION How Kerberos Works A Kerberos authentication server implements three services: 1. . In this final section. we’ll look at some guidelines for choosing secure passwords and see how these guidelines can be implemented on a Windows network by using security policies. Ticket-granting service (TGS): responsible for supplying the client with a Ticket-granting ticket (TGT). Kerberos also supports mutual authentication. such as limiting the account logon hours or the workstations from which a user can log on.4 Best Practices for Secure Authentication We have already touched on a few concerns for helping to ensure secure authentication practices. List the authentication protocols that can be used by a Windows 98 client computer that does not have Active Directory client software installed. We’ll also look at the importance of auditing authentication events. SELF-CHECK 1. Although we’ll look at how to implement these controls on an Active Directory network. 4. We’ll also look at other considerations. 3. Key distribution center (KDC): stores credentials in a database and manages the exchange of the keys for the clients and servers on the network. It also supplies clients with tickets for accessing resource servers. All computers involved in a Kerberos-authenticated session must have their time synchronized within a defined threshold (5 minutes in Active Directory). Kerberos authentication prevents the replay of the information (a replay attack) by using an authenticator. which includes a timestamp and other information that proves that the principal requesting access to the application is the same one that was granted the ticket by the TGS.

4 BEST PRACTICES FOR SECURE AUTHENTICATION 137 Figure 4-9 Windows Server 2003 default Password Policy settings. With that in mind. When configured in Local Security Policy or in a GPO that is linked at a different level than the domain. Enforce Password History The value you set for the Enforce password history policy is the number of unique passwords remembered by the system for the specified account. Maximum Password Age The value you set for the Maximum password age policy represents the number of days that a password is valid until the user is required to change it. these policies apply to local (SAM) user accounts. Let’s look at each of these policies and how you can configure them to increase security for password authentication.4. All passwords can be broken given enough time and the correct tool. When configured in a GPO linked to a domain.1 Password Policies Windows 2000 and above allow for policies to be set to require strong passwords (a password that is difficult to guess or crack using a dictionary or brute force attack). these policies apply to domain member logon accounts. These passwords cannot be reused. The default policies on a server running Windows Server 2003 that has not been configured as a domain controller are shown in Figure 4-9. Although we are discussing these guidelines with regards to how you would implement them in Windows 2000 (or later).4. the same general best practices apply to passwords used for logging on to other operating systems or to applications. so users will not be able to reuse a password that they have used previously. Password policies are stored under Security Settings | Account Options. 4. .

non-alphanumeric characters such as “ < * & > ? /._ = | \ . If Maximum password age is set to 30 and Enforce password history is set to 12. Enabling this policy is essentially the same as storing clear text versions of the passwords. if you suspect that a user’s password can be broken in 40 to 60 days. allowing them to keep the original password. For example. Minimum Password Age The Minimum password age policy determines the number of days that must pass before the password can be changed. The default value is zero. then the maximum password age should be less than the minimum amount of time that the password could be broken.. passwords that are at least six characters long. you could set the Maximum password age policy to 30 or 35 and feel confident that it won’t be broken before it must be changed. Remember that if this value is greater than 14. and passwords that contain characters from three of the following four groups: ▲ ▲ ▲ ▲ Uppercase letters Lowercase letters Numbers Special. the policy’s goal is to prevent a password from being used again for a year. Because of this weakness. Password Must Meet Complexity Requirements The Password must meet complexity requirements policy requires passwords that do not contain the user’s name or login name. this policy . Minimum Password Length The Minimum password length policy determines the minimum number of characters that must be used for a password. the LM hashes will not be stored locally.138 AUTHENTICATION one of your goals should be to require passwords that are complex and complicated enough so that they will take more time to break than the maximum password age. The default value for this option is zero. ` ~ ^%$#@! Store Passwords Using Reversible Encryption Enabling the Store passwords using reversible encryption policy provides support for applications that use protocols requiring knowledge of the user’s password for authentication purposes. The Minimum password age policy prevents a user from circumventing the purpose of the Maximum password age and Enforce password history policies by requiring that a new password must be in place for specified period of time before it can be changed. . For example. Many users simply change their password 13 times as soon as it expires.

Let’s look at the policies you can use to configure account lockout for user accounts. Many environments set this for a short amount of time. The time period is usually in place to minimize calls to the help desk by allowing the user to simply wait and try again after the lockout time period has passed.4 BEST PRACTICES FOR SECURE AUTHENTICATION 139 Figure 4-10 Windows Server 2003 default Account Lockout Policy settings. complex passwords and good auditing should be used to recognize a brute force attack on an account. A setting of 0 or a setting greater . These settings mean that a user will never be locked out from typing the password incorrectly. Setting the Account lockout duration to 0 causes the account to be locked out indefinitely. For this reason. This policy can increase the number of help desk calls and wind up costing your organization money.4. Obviously this would slow down a brute force attack because the attacker would be able to attempt only a set number of passwords before the account would be locked. Account Lockout Duration The Account lockout duration policy sets the number of minutes that an account will be locked before it is automatically unlocked. This policy must be enabled if you are using Digest Authentication in IIS or ChallengeHandshake Authentication Protocol (CHAP) authentication for remote access clients. 4.4. Remote access authentication is beyond the scope of this chapter.2 Account Lockout Policy The Account Lockout policy disables an account when the number of failed authentication attempts exceeds a threshold. should not be enabled unless the specific application’s requirements are of greater importance than the need to protect the integrity of the passwords. The default values for the Account Lockout policies for a computer running Windows Server 2003 are shown in Figure 4-10.

In the Logon Workstations dialog box. The Logon Hours screen is shown in Figure 4-11. Then you can enter the computer name(s) for the computer or computers that the user will be allowed to log on to. will minimize the attack surface of many brute force programs. There should be no reason for this user to be able to log on to the network outside of business hours (since he or she shouldn’t be on the phone). For example. To set this restriction on a Windows Server 2003 computer. including Windows Server 2003.4 Account Logon Workstation Another security measure you can take is to restrict a user account to logging on only at specific computers. open the user’s Properties dialog box to the Account tab and click the Log On To button. Account lockout threshold is set to 5. from an invalid logon attempt until the count resets itself back to zero. that a company has an employee whose job it is to take customer orders over the phone and enter them into an order application during business hours. . Account Lockout Threshold The Account lockout threshold policy sets the number of invalid attempts that can occur before the account is locked. To access it. Assuming Account lockout duration is set to 30 minutes. 4. The combination of these three account policy options. in minutes.4. if used in concert.140 AUTHENTICATION than 30 minutes can actually be detrimental to the availability of your network because it can prevent a user from logging on. for example. There is no reason for that user to log on to any other computer on the network. This value is commonly set to 3.3 Account Logon Hours A useful account setting that you can and should implement is setting valid logon hours to specify when a user is allowed to access the network. select “The following computers” option button. The setting is configured using the account’s Properties dialog box from the Active Directory Users and Computers Microsoft Management Console (MMC). 4. which is typically enough to allow a user to realize that they left his or her Caps Lock key on and still prevent a brute force program from testing a large number of passwords. suppose a user has a dedicated desktop computer in the domain.4. click the Account tab and then click Logon Hours. Reset Account Lockout Counter After The Reset account lockout counter after policy sets the duration. an attacker would be able to attempt only 10 passwords per hour as opposed to many thousand per minute if no lockout policy is configured. Suppose. Setting valid logon hours is a feature that exists in most network operating systems. and Reset account lockout counter after is set to 15 minutes.

000.4. The organization has estimated that for each incident in which an attacker is able to guess the password that a particular account uses. To enable auditing for domain authentication attempts. Your organization has also estimated that this type of attack occurs about eight times per year.4 BEST PRACTICES FOR SECURE AUTHENTICATION 141 Figure 4-11 Logon Hours screen. Enabling auditing for failed logon attempts can give you advance warning of an attempted brute force attack. FOR EXAMPLE Analyzing Account Risks by Cost Analysis It has been determined that weak passwords are affecting the overall security of your organization. enable Audit logon events. You enable auditing on a Windows computer by enabling the appropriate audit property in Security Settings | Local Policies | Audit Policy.5 Auditing Logons Another key step you can take to mitigate the risk of an attack and to provide an audit trail if an attack occurs is to enable auditing for failed and successful logon attempts. (Continued) . This cost includes all of the resources that are used in determining that an incident has occurred and in reacting to it. 4. Events are logged to the Event Viewer Security log.4. enable Audit account logon events. it costs approximately $12. To enable auditing for interactive logon attempts.

142 AUTHENTICATION Your computer security incident response team has proposed three separate solutions. Which is the most cost-effective solution? With no solution in place.000 per year to implement this solution and that it will reduce the number of compromised passwords by 25 percent. The solutions are described as follows: Solution 1: A security policy will be created and applied to all accounts in the organization.000 to the cost and will decrease the quantity of password-related security incidents to approximately four per year.000 per year and that it would reduce the number of password-related security incidents by 50 percent. and. The IT staff estimates that the total cost of this solution is $10. Password auditing will also take place on random samples of users to make sure that passwords are not easily located. Solution 3 adds $50. Solution 2 is the best solution. The company’s primary objective is to choose the most cost-effective solution. Solution 1 makes the total cost of the incidents $74. which makes the total cost of password-related incidents $64. The help desk estimates that this will increase the support calls for password issues by 50 percent. Solution 2: Solution 1 will be used. and you must determine which solution is the most appropriate given all of the information involved. and. Solution 3: Solution 1 will be used.000 a year correcting the problem. and reduce the number of password-related incidents by 75 percent.000 more per year for increased staff. The policy will require complex passwords as defined by a custom filter that guarantees that strong passwords are the only type that are accepted. you will require that all users reset their passwords every 25 days.000 to the cost of the correcting the problem but will decrease the quantity of incidents to approximately six per year. Solution 2 will add $10. Based on cost. Solution 1 will add $2. Solution 2 reduces the total cost of the password security incidents to $58.000 to the cost of the solution and reduces the incidents to two per year. all users and administrators will attend mandatory password training to assure that there are fewer calls to the help desk and that all users affected by an attack will understand what types of passwords are expected when they must select a new one. The help desk determines that it will cost the organization about $2. in addition. .000 per year. in addition.000 per year. the organization spends approximately $96. cost $50.000.000 per year. which would cost $72.

3. Describe the steps you would take to provide advance notification of a hacker’s attempt to use a brute force attack to discover a domain password. NTLM.KEY TERMS 143 SELF-CHECK 1. and Kerberos. Next you learned about four different authentication protocols: LAN Manager.NET Passport authentication Acceptability Active Directory client extensions Active Directory database Anonymous access Authentication Authentication protocol Authentication Service (AS) Authenticator Authorization Basic authentication Biometrics ChallengeHandshake Authentication Protocol (CHAP) Client certificate Credentials Crossover Error Rate (CER) Digest authentication Domain Domain controller Enrollment time False Acceptance Rate (FAR) False Rejection Rate (FRR) Group Policy Object (GPO) . 2. KEY TERMS . NTLMv2. Describe the steps you would take to make it necessary for a hacker who obtained a password through a dictionary attack to have physical access to a specific client computer on the network to be able to log on. you were provided with some best practices for secure authentication on your network. Finally. You learned that users and computers can be required to be authenticated. You learned about different types of credentials that can be used to prove a user’s identity. Describe how password history can help mitigate an attack. SUMMARY In this chapter you learned the fundamentals of authentication. You also learned that some applications must authenticate users.

144 AUTHENTICATION Heterogeneous environment Identification Impersonate Integrated Windows authentication IUSR_computername account Kerberos Kerberos realm Key Distribution Center (KDC) Keystroke logging program L0phtcrack LAN Manager protocol LC5 Microsoft Passport authentication Mutual authentication NTLM protocol NTLMv2 protocol One-time password OWA PAM Passphrase Peer-to-peer network Replay attack Secondary logon Security Accounts Manager (SAM) database Security Identifier (SID) Security principal Simple file sharing Single sign-on Smart card Strong password Throughput rate Ticket Granting Service (TGS) Ticket Granting Ticket (TGT) Trojan horse application Trust relationship Two-factor authentication Type 1 authentication Type 2 authentication Type 3 authentication Type I error Type II error User-based access control Windows Live authentication .

wiley. True or false? 6. Measure your learning by comparing pre-test and post-test results. True or false? to evaluate your knowledge of authentication. Which of the following is an example of type 3 authentication credentials? (a) password (b) PIN number (c) smart card (d) retinal scan 5. Which of the following authentication protocols can be used with a Windows 95 client only if Active Directory client extensions are installed? (a) LAN Manager (b) Kerberos (c) NTLM (d) NTLMv2 . Active Directory user credentials are stored in the SAM database. On a Linux computer. A smart card is an example of two-factor authentication. Summary Questions 1. in which file are user accounts stored? (a) /etc/users (b) /etc/passwd (c) /etc/Kerberos (d) /etc/credentials 3. Which authentication protocol stores a password using an MD4 hash? (a) LAN Manager (b) Kerberos (c) NTLM (d) NTLMv2 7. Which type of IIS authentication passes the user name and password in clear text? (a) basic authentication (b) digest authentication (c) Windows integrated authentication 4.SUMMARY QUESTIONS 145 ASSESS YOUR UNDERSTANDING Go to www.

but not for SAM authentication? (a) LAN Manager (b) Kerberos (c) NTLM (d) NTLMv2 9. but not for a local user account? (a) Account logon hours (b) Password length restrictions (c) Password history restrictions (d) Account lockout policy 12. Which of the following authentication protocols can be used for Active Directory authentication. You are designing an authentication strategy for an Active Directory network. The member servers on the network are all running either Windows 2000 Server or Windows Server 2003. . and Windows XP Professional. Which policy would you enable to create a log of all Active Directory users who are authenticated by a domain controller? (a) Audit account logon events—Success (b) Audit directory service access—Success (c) Audit logon events—Success (d) Audit system events—Success Applying This Chapter 1. Which of the following can be configured for an Active Directory user account. Windows 98. The Password must meet complexity requirements policy is enabled on a computer running Windows XP Professional.146 AUTHENTICATION 8. The company is implementing a web application that will be used by employees when they are traveling. You want to minimize administrative effort to manage logons to the web application. This means the account will never be locked out. The web application will be installed on a server in the perimeter network. Which password is valid? (a) 123spam (b) yDo1T (c) &some1 (d) !@#$%^ 10. The Account lockout duration policy is set to 0 on a computer running Windows XP Professional. The network includes clients that are running Windows 95. True or false? 11.

How can you determine which users are logging on to the kiosk computer? .APPLYING THIS CHAPTER 147 (a) By default. what is the largest value you can use for the Minimum password length policy? (j) A kiosk computer in the lobby is often used to log on to the domain. what protocol will be used to authenticate the Windows 98 clients when the users log on to the domain? (b) What would you need to do to ensure that mutual authentication can be used for all domain authentication? (c) Which computers will be authenticated by the domain controllers? (d) What IIS authentication method will be the most secure way to authenticate the users? (e) What is the drawback to using digest authentication? (f) What is the drawback to using integrated Windows authentication? (g) What changes to the network would be required to use smart card authentication? (h) How can you ensure that users choose good passwords? (i) Given the current network configuration.

148 . ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Retina scans Iris scans Fingerprints Facial scans Palm scans Hand geometry Voice Handwritten signature dynamics Considering a Future of Biometrics Biometrics offers security. rank the following biometric characteristics. Many people are concerned that biometric authentica- For any characteristic you ranked lower than 5. but not without controversy. Others are concerned that devices might not be sanitary. Have you ever thought about the credentials you use and whether they are secure? 1. Are the password policies posted? 4.YOU TRY IT Protecting Your Identity If you log on to a network at work or use the Internet at work or at home. you most likely must prove who you are and be authenticated by a server. Do you think posting password policies clearly makes a website more or less secure? tion invades our privacy. describe your concerns. How do you feel about different biometric characteristics and their acceptability ratings? On a scale of 1 to 10. 2. Do any of the servers you log on to have password policies? 3. List some of the servers where you must provide credentials to log on and rate how likely it would be for a hacker to discover your password. where 1 is least acceptable.

com/college/cole to assess your knowledge of authorization and access control. You’ll Be Able To ▲ Describe the three access control models ▲ Use Windows® groups to assign permissions in an Active Directory® domain ▲ Configure NTFS (NT™ File Systems) and share permissions to meet access requirements ▲ Assign users rights to access a Windows computer ▲ Manage permissions on a Unix® or Linux computer . What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ Access control models Access control best practices Groups Permissions Rights and privileges After Studying This Chapter.5 AUTHORIZATION AND ACCESS CONTROL Starting Point Go to www. Determine where you need to concentrate your effort.wiley.

In discussing access control. there are two parts to that process: authentication and authorization. and rolebased. 5. This chapter will focus on authorization.” Also. the threat would have the potential to bypass or foil access control mechanisms and allow an attacker to gain unauthorized access to a network. 5.150 AUTHORIZATION AND ACCESS CONTROL INTRODUCTION A key part of securing a network is protecting resources against unauthorized access and preventing users from performing operations they should not be allowed to perform. The table contains the subjects. are protected in Windows operating systems. the chapter looks at how permissions are set on a Unix computer.1 Discretionary Access Control (DAC) In discretionary access control (DAC). Table 5-1 is an example of an ACL. Access control involves determining what a subject can do with an object.1 Access Control Models Access control is designed to mitigate access-related vulnerabilities that could be exploited by threats to a network. mandatory. particularly in an Active Directory domain. the program “Salary” can execute the process called “Evaluation. An object is also called a securable.” but can only read the file named “Benefits. In this case. You’ll also learn about the principle of least permission. the terms subject and object are used.” The process named “Average” can read and modify the file named “Salary. This table is sometimes called an access control list (ACL). Next the chapter examines how objects.” but cannot access the file named “Salary” or execute the process named “Evaluation. objects. Table 5-1 shows that the program named “Salary” can read or write data from the file named “Salary” and has read privileges for the file named “Benefits. One means of specifying discretionary access control is through a table. permissions to access an object are assigned by an authorizing entity (normally an administrator or an object’s owner). In this section we’ll discuss each of these. Jones can read a file named “Benefits. Access control models can be classified as discretionary. Finally. and access privileges that are assigned to the subjects relative to the objects. A subject is an active entity (such as an individual or process) and an object is a passive entity (such as a file).” Ms. The chapter starts with a conceptual look at access control by looking at the three access controls models. A subject is also called a principal. such as files and printers. For example.1. As you learned in Chapter 4. Windows uses an object’s ACL to determine who can access it and how.” .

or top secret. In a peer-to-peer network. A user that has the right to alter the access privileges to certain objects operates under user-directed discretionary access control. Similarly.2 Mandatory Access Control (MAC) In mandatory access control (MAC). . Tops Process “Average” Resources on a web server can also be secured using an ACL. and can have access to documents classified at or below his or her specified clearance level. secret. If a user is not allowed access to the resource. each user is responsible for managing access control to his or her own resources. rather than the identity of the subjects and objects alone. One example of user-directed discretionary access control is peer-to-peer networking. With identity-based access control. In the United States. Need to know means that the subject must have a need to access the requested classified document to perform his or her assigned duties. a 403 error occurs.1 ACCESS CONTROL MODELS 151 Table 5-1: Access Control List Object 1 (File “Salary”) Read/write None Read/write Read/write Object 2 (File “Benefits”) Read Read Read/write Read Object 3 (Process “Evaluation”) Execute None None None Subject Program “Salary” Ms. 5. but with a restriction called the need to know. an individual with a secret clearance can access secret and confidential documents. confidential. With MAC. the military classifies documents as unclassified. Jones Mr. Another discretionary access control type based on an individual’s identity is known as identity-based access control. A key difference between DAC and MAC is that with DAC. Rule-based access control is a type of mandatory access control in which rules determine the access privileges (such as the correspondence of clearance labels to classification labels).1. a subject’s authorization or clearance is formally matched to an object’s sensitivity classification. an object’s owner can specify the access control list for an object. a central authority determines the classification for objects. regardless of who creates or owns them.5. secret. a user’s identity is verified and managed by a different person or organization than the one that manages permissions and privileges. an individual can receive a clearance of confidential. Thus. and top secret.

and delete File3. Windows 2000 Server.3 Role-Based Access Control (RBAC) A role-based access control (RBAC) model involves assigning permissions to perform actions on objects based on a person’s role or job. Because Sara is only a member of the Managers role. you would create a group for each role. All members of Managers can read.152 AUTHORIZATION AND ACCESS CONTROL Figure 5-1 Sam Mike Sara Accountants Read Read/write Read File 2 RBAC. Therefore. users are assigned membership in roles and roles are assigned permissions on objects. As you can see. A group is a collection of users that is assigned a specific set of permissions. she can read File2. but cannot write to it. Sara and Mike have that permission as well. The assumption is . Sam and Mike are Accountants and Sara and Mike are Managers. but the actual implementation of the model will determine how fine a level permissions are granted on and how well roles within the organization are defined. Accountants are given permission to read File1 and read and write to File2. 5. RBAC can be implemented through the use of groups in Windows Server® 2003. In this example. To implement RBAC. write. Managers Read/write/delete File 3 File 1 A potential problem with MAC is its lack of flexibility because it segregates access in such large blocks and doesn’t provide a good way to group individuals with similar access requirements.1. RBAC requires that you assign users to roles and grant object permissions to roles. Therefore. and Windows NT and in Novell® NetWare®. Sam and Mike are granted those permissions because of their membership in the Accountants role. The model allows for a high level of detail. This is illustrated in Figure 5-1.

Some of these roles are fixed database roles. SQL Server also supports application roles. For example. Any user who runs the accounting application would be able to access that table. not individual permissions. Sometimes groups are created based on criteria other than the roles performed within the organization. A member of the db_securityadmin role can create custom roles. an accounting application might be granted access to the AccountsPayable table. meaning that their permissions cannot be changed. However. it is up to the security team to ensure that the groups created map to organizational roles. and stop the server. One thing to keep in mind is that all group-based access controls are not necessarily role-based. the db_backupoperator role has permission to back up a database. you might indicate that patients and doctors can access all patient data. These roles are used to assign permissions to the objects in a specific database. If a company requires role-based access control. SQL Server 2005 includes fixed server roles. Database-level roles can be used to assign permissions at a very fine level of detail. One example of an RDBMS that implements role-based security is SQL Server 2005. and even when securing medical data. These roles are fixed server roles. regardless of who is running it. FOR EXAMPLE RBAC in a Database Management System A common use of RBAC is to implement access control for the objects in a relational database management system (RDBMS).5. An application role is one that is used to allow certain types of access to an application. which are roles mapped to the types of tasks normally performed on a database server. promotion. the serveradmin role can modify the server’s configuration settings. It can be used by businesses. but only through the accounting application. firing. For example. start the server. manage their permissions. whereas the accounting personnel can access only billing and payment information. This model is very flexible because it segregates access control based on a user’s relationship to the data being secured. whereas the dbcreator role can create databases on the server. and manage membership in those roles. When this happens. For example. For example. SQL Server logins can be assigned membership in one or more of these roles. the administrator only needs to manage group membership.1 ACCESS CONTROL MODELS 153 that a group’s permissions are likely to remain fairly constant. SQL Server also has database-level roles. . the users who are assigned to a specific group might change due to hiring. and other business requirements.

the Write permission is used to protect the integrity of a file. principals can be local users.1 Principals In Windows 2000/XP/Vista and Windows Server 2003. you should determine the least amount of access a user or role requires to do his or her job. With some access control systems. except to note that peer-to-peer resource sharing presents a security risk on your network because access control is put in the hands of the users. Our emphasis will be access control in an Active Directory environment. The Execute permission is the permission to execute a code file. 2. One thing to consider when granting permissions is that the Read permission is used to protect the confidentiality of a file. whereas. we’ll look at how to implement access control on a Windows network.1. or computers. Local principals (local users and groups) are administered locally and are visible only to the local computer. 5. Describe the principle of least permission. This is known as applying the principle of least permission (also called the principle of least privilege). SELF-CHECK 1. Windows Vista™. The human-readable name of a . Principals have a human-readable name (username) and a machine-readable identifier. the Write permission implies the Read permission.2 Implementing Access Control on Windows Computers Windows Server 2003. Describe the three access control models. the permissions are granted independently. In this section. 5.2. the Execute permission must also imply Read permission. and you should assign only that amount of access permissions. Windows XP. the SID (security identifier). Granting unnecessary permissions can open the doorway to malicious or accidental violations of confidentiality and integrity. groups. Windows Server 2000 and Windows NT 4. In others. A discussion of peer-to-peer resource sharing is outside the scope of this chapter. domain users.154 AUTHORIZATION AND ACCESS CONTROL 5.4 Principle of Least Permission When designing an access control strategy.0 all implement discretionary access control and also allow you to implement role-based access control if you create groups that map to roles within the organization. In most cases.

Figure 5-2 Local users and groups. Local users and groups can be displayed from the command line with the following commands: net user net localgroup Figure 5-2 shows the results of running these commands on a computer running Windows XP Professional and SQL Server.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 155 local user has the form computer_name\principal. FileServer1\Administrators. for example. Notice that when SQL Server is installed. This is something to keep in mind when you install server applications. groups are created. .5.

and Temps Global groups and the RecipeReaders and RecipeWriters Domain Local groups. or computer. group. Domain Local groups. The human-readable name of a domain user. and Universal groups. diego@europe. Therefore. Examples are domain users. principal@domain 2. Security Identifiers (SIDs) In Windows systems. such as the Chefs. Domain Global groups. you will not get the same SID if you delete an account and then recreate it with exactly the same parameters as before. .com 2. the SID is a value that uniquely identifies a user. The following are some well-known SIDs (a well-known SID is one used on every Windows computer or domain): ▲ ▲ ▲ ▲ ▲ ▲ Everyone (World): S-1-1-0 LOCAL SYSTEM: S-1-5-18 Administrator: S-1-5-21-<local authority>-500 Administrators: S-1-5-32-544 Domain Admins: S-1-5-21-<domain authority>-512 Guest: S-1-5-21-<authority>-501 The SID is constructed when a user account is created and is fixed for the lifetime of the account.156 AUTHORIZATION AND ACCESS CONTROL Domain principals are administered on a domain controller. Managers. or machine can be written using one of two forms: 1. DOMAIN\principal For example. group. the new account will not retain the access permissions assigned to the old account. 1. EUROPE\diego Domain users and groups can be displayed by adding the options switch /domain as follows: net user /domain net group /domain net localgroup /domain Figure 5-3 shows the results of running these commands on a domain that includes a server running Microsoft® Exchange Server 2007 and that has a number of role-based groups They are seen by all computers on the domain. Because a pseudorandom input (clock value) is used in its construction.

.5.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 157 Figure 5-3 Domain users and groups.

a unique SID is constructed for the domain. Active Directory has the some built-in groups that can be used to manage some permission assignments on the network. Table 5-2: Windows Group Types Group Type Universal group Membership Native mode: Accounts. it receives a SID that includes the domain’s SID. Global groups from any domain. Using groups to assign permissions makes the management and auditing of users more efficient. The following are some built-in groups you will commonly use: ▲ Account Operators: can manage user and group accounts on a domain controller. other Universal groups Mixed mode: not available Global group Native mode: Accounts or Global groups from the same domain Mixed mode: Accounts from the same domain Domain Local group Native mode: Accounts. There are several types of groups within an Active Directory forest (one or more domains that trust each other). Groups Windows security groups allow you to assign permissions to a large number of users at a single time. All built-in groups are Domain Local groups. A native mode domain is one that consists of only Windows 2000 and Windows Server 2003 domain controllers. Global groups. Table 5-2 shows the different groups and what can be a member of each of the group types. Domain Local groups from the same domain Mixed mode: Accounts and Global groups from any domain .158 AUTHORIZATION AND ACCESS CONTROL When a domain is created. A mixed-mode domain is one that contains one or more Windows NT 4.0 domain controllers or one that has not been converted to native mode. This facilitates a consistent assignment of permissions to multiple users with the same access requirements. Their membership depends on whether the domain is a native mode domain or a mixed mode domain. ▲ Administrators: has full control over any computer in the domain. When a workstation or a server joins a domain. and Universal groups from any domain.

▲ Guests: more limited than the members of the Users group. As you can see. Place the Global groups in (D)omain (L)ocal groups.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 159 ▲ Backup Operators: can run backup and restore operations. ▲ Users: accounts with limited access in the domain. Used for anonymous users like the Guest account or the IIS anonymous user account. ▲ Server Operators: can manage domain member computers. ▲ Domain Guests: a member of the Guests group. nest (G)lobal groups (make a global group a member of a different global group). The recommended practice for assigning permissions using groups in Windows networks is to follow the practice of AG(G)DLP. ▲ Domain Users: a member of the Users group. the Universal Security group option is not available. ▲ Domain Controllers: all domain controllers for the domain are members. the last task you should perform is placing the Global groups in the Domain Local groups so that an account can’t use a permission until all of the permissions have been assigned. Administrator account is a member by default. Although acronym AG(G)DLP is a great way to remember this process. Place (A)ccounts in (G)lobal groups. You add domain groups through Active Directory Users and Computers. 3. These include the following: ▲ Domain Admins: a member of the Administrators group. The following explains this process: 1. 4. All users in the domain are members. ▲ Domain Computers: all computers that have been added to the domain are members. In order to accomplish this. 2. Some global groups are also created automatically. ▲ Print Operators: can manage printers in the domain. Universal groups can be used to consolidate groups whose logical membership should span domains. you add the . Assign (P)ermissions for the resource to the Domain Local group. The New Object—Group dialog for a mixed-mode domain is shown in Figure 5-4. The Guest account (which is disabled by default) is a member. Optionally.5. ▲ Network Configuration Operators: has some rights to manage the network configuration parameters for the computers in the domain.

Assign (P)ermissions to the Domain Local group. Windows 2000 Server and Window NT also support local groups. Computers running Windows Server 2003. This is the recommended strategy because changes in the membership of the Global group will not cause changes in the Universal group. as seen in the following list: ▲ ▲ ▲ ▲ ▲ Place (A)ccounts in (G)lobal groups. . A local group is created and managed on the local computer. which typically would require replication of the global catalog to each global catalog server in the forest. A global catalog is a database that contains a subset of Active Directory objects and object attributes for every domain in the forest. With the addition of Universal groups to the AG(G)DLP guideline. Place (G)lobal groups into (U)niversal Ggroups. A global catalog server is a domain controller that hosts a global catalog. Global groups and universal groups can be members of local groups. Place Universal groups into (D)omain (L)ocal groups. the recommendation becomes AG(G)UDLP.160 AUTHORIZATION AND ACCESS CONTROL Figure 5-4 Creating a new domain group. accounts to Global groups in their respective domain and then nest the Global groups within Universal groups. Optionally nest (G)lobal groups.

glEastHR.5. In each domain. glEastHR. the ACL contains all of the permission attributes regarding an object. There are HR accounts in each of the domains. or to an individual property of an object. Next. The company’s Active Directory is made up of three domains: TJR. Thatcher creates a Universal group named uHR.lan. Each time membership changes in any of the Global groups. including who is explicitly granted access as well as those explicitly denied access to the object. There are two types of ACLs: 1. which is made up of the two basic components: 1. Once that step is completed.2. he adds the uHR Universal group as a member the dlHR groups in each domain. Also. 2. forestwide replication would be required. replication will only need to occur within each domain and not between them.TJR.2 Windows Access Control Model The access control for Active Directory objects relies on the Windows access control model. 5. In addition.lan. to a set of the object’s properties. and Thatcher wants to keep the ACLs short and easy to maintain. To reduce replication. the ACL would have three access control entries (ACEs). Security descriptors: contain the security information that protects an object. An ACL (in the Windows environment) is a list of security protections that apply to an entire object. Thatcher grants each of the dlHR Domain Local groups (one for each domain) the appropriate permissions on the HR data. Security Descriptors A security descriptor contains two ACLs. east.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 161 FOR EXAMPLE Taking Advantage of Universal Groups Thatcher is the network administrator for a large consulting company. and glWestHR—and then adds them to the dlHR Domain Local group in each domain. An access token provides the security context for the session. Simply put. and west. Discretionary access control list (DACL): the part of the security descriptor that grants or denies specific users and groups access to the object. The . Thatcher creates a Global group in each domain—glCorpHR. He then adds the glCorpHR. Access tokens: contain the information regarding a logged-on user. there are human resource records that all HR personnel need to be able to modify. Now as membership changes in the Global groups.TJR. he needs to minimize replication traffic between domains. and glWestHR Global groups to uHR.lan.

A security descriptor also includes the object owner’s SID. A primary token means the token is associated with the user who is logged on to the computer where the process is running. ▲ List of the privileges possessed by the user or the groups to which the user belongs. Access Tokens When a user logs on successfully. For example. ▲ The default DACL. ▲ The source of the access token. The access token that . ▲ SIDs for the groups in which the user is a member. ▲ Logon SID. certain conditions might require a user to log off and then back on in order to gain access to a recently modified permission.162 AUTHORIZATION AND ACCESS CONTROL owner of an object can modify the DACL. In order to view the DACLs and SACLs. Both the DACL and the SACL consist of access control entries (ACEs). that is used when the user creates a securable object. which is an SID that persists only for the duration of the active logon session. ▲ An owner SID. a user is added to a Security group while they are currently logged on. 2. The system then uses the token to identify the user when the user’s thread interacts with a securable object or attempts to perform some action that requires privileges. ▲ A value that indicates whether the token is a primary or an impersonation token. As a result of this information being assigned when a user logs on. which includes the creator/owner permissions. the system will produce an access token that includes the identity and privileges of the user account. as can administrators and other users who have been granted the Change Permissions permission. you must enable Advanced Features from the Active Directory Users and Computers tool’s View menu. System access control list (SACL): the part of the security descriptor that dictates which events are to be audited for specific users or groups. An impersonation token is created when a client accesses a server on behalf of the user. The following is a partial list of the elements that are contained in an access token: ▲ User’s SID. ▲ The SID for the user’s primary group. which identify the users and groups that are granted or denied a specific type of access.

computers.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 163 they have already received does not contain the SID for the newly assigned group and the user’s current thread will not be a member of the group. The standard permissions are a combination of individual (special) permissions. and groups for administration and Group Policy application. typically an organizational unit Provides the ability to remove any type of child object from a container Write Read Create All Child Objects Delete All Child Objects . Table 5-3 lists the standard permissions. however. To rectify this situation. you can assign permissions to any single object.2. An organizational unit is a container for organizing users. The available special permissions are different depending on the resource that you are attempting to secure. you will use permissions to assign privileges to an organizational unit (OU). Active Directory has several types of permissions. Table 5-3: Active Directory Standard Permissions Permission Full Control Description Includes Change Permissions and Take Ownership. and Active Directory permissions Provides the ability to create any type of object in a container.5. the user must acquire a new access token by logging off and back on again. 5.3 Understanding Active Directory Object Permissions In Active Directory. Read Extended Attributes. every object has its own security descriptor that specifies which accounts have permission to access the object as well as what type of access is permitted. and so forth. They include Read Attributes. the owner. Typically. object attributes. the standard permissions are composed of those that are the most commonly assigned. Read Permissions. The object permissions are what provide you with the capability to control who can access individual objects or an object’s attributes within the directory. Write Attributes. Change Permissions. as well as all other standard permissions Provides the ability to change an object’s attributes Provides the ability to view objects.

An inherited permission is one that is configured at an object higher in the hierarchy and that flows down to the objects lower in the hierarchy. For example. The TechSupport group is granted the Write permission on the Sales organizational unit. The individual permissions granted by that entry will display. as shown in Figure 5-6. suppose Tom is a member of the TechSupport group and the Temp group. You can access the special permissions by clicking Advanced on the Security tab of the object’s Properties dialog box. and clicking the Edit button. selecting a permission entry for Special permissions (see Figure 5-5). Active Directory object permissions can be granted or denied (either implicitly or explicitly). The Temp group is denied the Write permission on the Sales organizational unit. a Deny will override an Allow. . and set at the object level or inherited from a parent object. set as standard or special permissions. Tom will not be able to modify the attributes of the objects inside the Sales organizational unit because the Deny in the DACL will override the Allow. At any level in the hierarchy. In this case.164 AUTHORIZATION AND ACCESS CONTROL Figure 5-5 Advanced Security Settings.

The standard permissions that are provided for an NTFS folder are as follows: ▲ ▲ ▲ ▲ ▲ ▲ Full Control Modify Read & Execute List Folder Contents Read Write .2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 165 Figure 5-6 Permission Entry dialog box. NTFS permissions are permissions configured for a file or folder. They are always checked when an attempt is made to access a resource on the file system locally or when accessing a file or folder across the network.2. 5.4 Designing Access Control for Files and Folders Just as with Active Directory objects.5. there are different access permissions that apply to files and folders.

166 AUTHORIZATION AND ACCESS CONTROL Figure 5-7 NTFS permissions. as shown in Figure 5-7. in the properties dialog box) or denied. so when you grant a standard permission. you should try to avoid using special permissions and instead use standard permissions to make permissions issues easier to troubleshoot. these permissions can be granted (allowed. These standard permissions are really combinations of special permissions. NTFS permissions are managed on the Security tab of a folder’s or file’s Properties dialog box. Troubleshooting NTFS Permissions Because a user can be granted or denied permissions in so many ways. Although you can grant and deny special permissions individually. If a box is checked and filled. taking into . shown in Figure 5-8. sometimes you might need to troubleshoot an issue in which a user has too many or not enough permissions to access an object. The users and groups on the object’s ACL are listed. it means the permissions are inherited from a parent object. The Effective Permissions tab of Advanced Security Settings for an object. allows you to determine a user’s effective NTFS permissions on that object. you are really granting one or more special permissions. As with Active Directory object permissions.

. List Folder Contents. Therefore. This is a good way to start troubleshooting an access control problem. inherited permissions. In Windows Server 2003. not share permissions. One thing to keep in mind is that effective permissions consider NTFS permissions only. if the effective permissions are fine.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 167 Figure 5-8 Effective Permissions. check the share permissions to see if they are causing the problem. Microsoft is now implementing secure defaults whenever possible. consideration group memberships. The Administrators group and the special SYSTEM group inherit Full Control permission. the default file permissions were inadequate because they gave all users Full Control. Default Permissions In earlier versions of Windows. One example of this is default permissions. the Users group receives only the Read & Execute. and Read permissions by default because it inherits the permissions from the volume root. As a result of the new focus at Microsoft on security. and explicit permissions.5. when troubleshooting a permissions problem.

When a folder is shared on Windows Server 2003 or on Windows XP with Service Pack 1 (or later). as shown in Figure 5-10. Click Permissions to display the Permissions dialog box. members of the Domain Users group will only have Read permission because it is the most restrictive permission when comparing the NTFS to the Share permissions. you will need to remember that Share permissions determine the maximum access that is allowed when the file is accessed through a share. Share permissions are managed through the Sharing tab of a resource (see Figure 5-9). The NTFS permissions that are assigned to the requesting principal are combined with the Share permissions and the most restrictive permission passes through. the Read permission is granted to the Everyone group as the default permission. . Server5 is sharing a folder named “myShare” and has explicitly granted the Domain Users group Read permission to the share. When a folder is shared on Figure 5-9 The Sharing tab. The Domain Users group is also explicitly granted the Full Control NTFS permission. For example. If the user is accessing a file using the share (Server5\myShare). When designing the access control for files and folders.168 AUTHORIZATION AND ACCESS CONTROL Share Permissions There is another level of access control that only applies when the resource is being accessed across the network through a shared folder: Share permissions.

the available permissions are different. On Windows Vista. However. ▲ Co-owner: allows users to read. modify. Windows Vista also allows you to create shared folders. Windows XP without service packs. Unlike Windows XP and Windows Server 2003. You will want to remove this and only grant permissions to the required principals. As with NTFS permissions. and delete any files in the folder.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 169 Figure 5-10 Share Permissions. which will not be displayed in Windows Explorer if a client navigates to the server using its UNC . Windows Vista also allows you to share individual files. you can allow or deny permission to a share. add. their default permission is Read. and modify and delete their own files. ▲ Contributor: allows users to read the files. you can assign the following permissions: ▲ Reader: allows users to read the files.5. the Everyone group is granted Full control. As you grant specific users or groups rights to the share. Hidden Shares You can create hidden shares (also called administrative shares). add files.

By default. If no printer is shared on a server. E Description The root of each partition with a drive letter assigned to it is automatically shared. Admin$ %systemroot% (C:\Windows) Print$ %Systemroot%\System32\ Spool\Drivers IPC$ . the Administrators group is granted Full Control permission to these shares. This folder is used when administering the server remotely. D. You cannot modify the permissions of administrative shares. This is the operating system root. You can create a hidden share simply by appending a dollar sign ($) to the name of the share when you create it as you would any other share. D$. E$ Local Folder C. The Everyone group has Read permission and the Administrators. an administrator has remote access to the entire partition tree. Windows Server 2003 has a few hidden shares that are required for certain administrative tasks. such as Accounting$. Server Operators. this share is created to store the operating system drivers required to print to the printer. Hidden shares do not add any layer of security. nor should you assume that they are not visible to a potential attacker. Table 5-4: Administrative Shares Share Name C$. this share will not exist. and Print Operators all have the Full Control permission. Table 5-4 shows the administrative shares and describes what they are typically used for. When a printer is shared on the server. Through this root share.170 AUTHORIZATION AND ACCESS CONTROL (Universal Naming Convention) path. Administrators can use this hidden share to access the Windows installation without knowing the drive or path that Windows was installed to.

shown in Figure 5-12. to view the shares. Figure 5-12 Viewing shared folders in the Computer Management MMC.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 171 Figure 5-11 The net share command. including the administrative hidden shares. as seen in Figure 5-11. You can also use the Computer Management MMC (Microsoft Management Console).5. by typing “net share” at the command prompt. You can view all of the folders that are shared. .

5 User Rights Assignment You can also manage what a user can do on a Windows computer by modifying the DACL of specific user rights.172 AUTHORIZATION AND ACCESS CONTROL Figure 5-13 User Rights Assignment. A GPO is an object in which an administrator can centrally define policies that are applied to users and computers in the domain. Some rights assignments you might need to modify include the following: ▲ ▲ ▲ ▲ ▲ ▲ ▲ Access this computer from the network Allow log on locally Back up files and directories Deny access to this computer from the network Deny log on as a service Deny log on locally Log on as a service . You can assign a user right to a user or to a group. Rights are assigned through the User Rights Assignment policy container in Local Security Policy or in a Group Policy Object (GPO). 5. The user rights assignments for the Default Domain Controller Security policy are shown in Figure 5-13.2.

3. There are two types of partners that run the firm: equity and nonequity partners. The EquityPartners group is granted the Read permission to the FinancialData folder and the NonEquityPartners group is not. 2. ▲ Restore files and directories ▲ Shut down the system ▲ Take ownership of files or other objects A detailed discussion of all user rights available is beyond the scope of this chapter. Steve creates two additional Global groups: EquityPartners and NonEquityPartners. In addition to the administrative burden of managing these permissions on individual accounts. Nonequity partners should have access to everything that equity partners can access with the exception of the firm’s financial information. Describe the default file access permissions when you create a file on a new installation of Windows Server 2003. . Describe the three types of Active Directory security groups. Describe the impact of hidden shares on security. This makes maintaining these groups in the future easy and it keeps the ACL on the FinancialData folder small. he creates ACEs on the FinancialData folder for each of the nonequity partner’s accounts and denies each one the Read permission. In order to resolve these problems.2 IMPLEMENTING ACCESS CONTROL ON WINDOWS COMPUTERS 173 FOR EXAMPLE Avoiding Deny Permissions Steve is the network administrator for a large management consulting firm. Steve must remove the ACE denying those individual accounts. the worse the performance will be when accessing the folder. When this occurs. the more ACEs on an ACL. Steve decides to create a Global group named All-Partners that has all of the partners’ accounts as members. Over time.5. In order to assure that the nonequity partners cannot view the financial information. To facilitate this access. SELF-CHECK 1. the nonequity partners may become equity partners.

5. but the superuser (root) UID is always 0. However. In this section. It identifies the user when logging in but is not used for access control. Some UID values have special meanings. User accounts are stored in the /etc/passwd file or in the encrypted /etc/shadow file.1 Principals The principals on a Unix computer are user identities (UIDs) and group identities (GIDs). User Accounts Information about principals is stored in user accounts and home directories. Entries in this file have the following format: user name:password:UID:GID:ID string:home directory:login shell The user name is a string up to eight characters long.174 AUTHORIZATION AND ACCESS CONTROL 5.3. The superuser account is similar to the Administrator account on a Windows computer. UID examples are listed in Table 5-5. which might differ between systems. Unix does not distinguish Table 5-5: Some Common UIDs UID -2 0 1 2 3 4 9 Refers To nobody root daemon uucp bin games audit . These same procedures can be used to manage access control on a Linux system. certain aspects of access control are present in most Unix implementations.3 Implementing Access Control on Unix Computers The access control features available will depend somewhat on the flavor of Unix you are using. Most Linux systems use MessageDigest algorithm 5 (MD5) to encrypt part of the user’s information. Only the root user can access this file. we’ll survey some of these aspects to provide you with a general understanding of how access to resources is managed on a Unix system. UIDs and GIDs are 16-bit numbers.

chez and af. the entry “infosecwww:*:209:chez. For example. Superuser (Root) In every Unix system there is a user with special privileges. The file /etc/group contains a list of all groups. newgrp will prompt for a password and give temporary membership if the correct group password is entered. In Berkeley Unix. has GID 209.5. Every user belongs to a primary” tells you that group infosecwww has the password disabled. The actions taken by the system when a user logs in are specified in the /etc/profile file. but he or she can dismount the file system and remount it as writable. The password is stored encrypted. or accessing I/O devices. Commands are case sensitive in Unix.” The root account is used by the operating system for essential tasks like login. In System V Unix. If users attempt to change into a group where they are not members. Users are free to change into a group where they are already a member. The effective UID is inherited from the parent process or from the file being executed. Groups Users belong to one or more groups. recording the audit log. Entries in this file have the following format: group name:group password:GID:list of users For example. who can do almost everything. There are also relatively easy ways to circumvent the few restrictions that are imposed on a superuser. a superuser cannot write to a file system mounted as read only.3 IMPLEMENTING ACCESS CONTROL ON UNIX COMPUTERS 175 between users with the same UID. Each process has a process ID (PID). The current group is changed with the newgrp command. Additional user-specific settings are defined in the profile file in the user’s home directory. This superuser has UID 0 and usually the user name “root. a user can only be in one group at a time. Subjects The subjects are processes. Each process is associated with a real UID/GID and an effective UID/GID. The real UID is inherited from the parent process. All security checks are turned off for the superuser. so there is no need for a newgrp command. The last two fields specify the user’s home directory and the Unix shell available to the user after successful login. and has two members. For example. Typically it is the UID of the user who is logged in. . a user can reside in more than one group. the superuser can become any other user and can change the system clock. The GID of the primary group is stored in the /etc/passwd file. The field “ID string” contains the user’s full name.

You can open a file . a user has to have the correct file permissions for the directory. and other (also called world). and execute access for owner. The following permissions can be set on a directory: ▲ Read permission allows a user to find which files are in the directory.2 diego staff 512 Oct 25 17:44 ads/ The first character tells you the type of file: “-” indicates a file. Permissions for Directories Every user has a home directory. respectively. You can view the permissions on the files in a directory by using the ls command. as follows: ls –l. directories. “d” a directory. The next nine characters show the file permissions. A sample listing is shown below: -rw-r--r-. The Inode Each file entry in a directory is a pointer to a data structure called an inode. ▲ Write permission allows a user to add files to and remove files from the directory. The eleventh character is a numeric field that indicates the number of links to the file. such as /home/staff/ read and write access to the owner and read access to group and other. Unix treats all objects as resources.1 diego staff 1617 Oct 28 11:01 adcryp. by executing ls or similar commands. To put files and subdirectories into a directory. and “c” a character device file. and execute access to the owner and no rights to group and other. Deleting a file also requires execute access on the directory.3. read.176 AUTHORIZATION AND ACCESS CONTROL 5.tex drwx-----. and I/O devices. The first identifies the owner (diego in this example). rwx-----. and the second identifies the group (staff ). Thus rw-r--r-. For the purpose of access control. that is. Resources are organized in a tree-structured file system. memory devices. ▲ Execute permission is required for making the directory the current directory and for opening files inside the directory. The inode includes the UID of the user who owns the file (normally the person who created the file) and the GID of the group that owns the file (normally either the creator’s group or the directory’s group). The file permissions (permission bits) are grouped in three triples that define read. “b” a block device file. group. A “-” indicates that a right is not granted. write. This is similar to the My Documents folder on a Windows computer. Following this value are two fields.2 Objects The objects include files.

For any access control mechanism. This might come as a surprise. the permission bits for owner decide whether you can get access. but you cannot use ls to see what is in the directory unless you have Read permission. You only need Read and Execute permission on the directory. the owner of the directory. in the directory if you know that it exists. Checking Permissions Unix checks the permission bits in the following order: 1. . the permission bits for group decide whether you can get access. 3. the permission bits for other decide whether you can get access.3 IMPLEMENTING ACCESS CONTROL ON UNIX COMPUTERS 177 Figure 5-14 Sticky bit. an entry can only be removed or renamed by a user if the user is the owner of the file. One potential problem is that you do not need any permission on a file in order to delete it. If you are neither the owner of the file nor a member of the group that owns the file. and has write permission for the directory. T appears instead of x as the execute permission for world. but this fact is also a valuable general lesson. You can use the sticky bit to restrict the right to delete a file. If you are not the owner of the file but your GID indicates that your group owns the file. When ls -l displays a directory with the sticky bit set. The one exception to this is that the superuser can delete any file. as shown in Figure 5-14. even if the file belongs to another user. you could either set the access permission accordingly or you could prevent access to the directory. you have to know precisely in which order different access criteria are checked. When a directory has the sticky bit set.5. To prevent other users from reading your files. 2. If your UID indicates that you are the owner of the file. This order means that it is possible to set permission bits so that the owner of a file has less access than other users. Notice that the file named “dontdelete” has the last bit set to T.

Notice that the SuperApp program has an in the user’s execute column. as is often the case. root is the owner of an SUID program. for example. If. but users should not be given superuser status. Such programs run with the effective user ID or group ID of their owner or group. then the execute permission of the owner is shown as s instead of x: -rws—x—x 3 root bin 16384 Nov 16 1996 passwd* This is illustrated in Figure 5-15. When ls -l displays an SUID program. giving temporary or restricted access to files not normally accessible to other users. a user who is executing this program will get superuser status during execution. only root can listen at the trusted ports 0–123. . some programs are identified as SUID (set userID) programs and SGID (set groupID) programs.178 AUTHORIZATION AND ACCESS CONTROL Set UserID and Set GroupID Unix requires superuser privilege to execute certain operating system functions. this program should only do what it is intended to do. the execute permission of the group is shown as s instead of x. This is particularly true for SUID programs owned by Figure 5-15 SUID. To allow users who do not have superuser status to run programs that require access they would not otherwise have. When ls -l displays an SGID program. Important SUID programs are as follows: s ▲ ▲ ▲ ▲ /bin/passwd: change password /bin/login: login program /bin/at: batch job submission /bin/su: change UID program It is important to keep in mind that since the user has the program owner’s privileges during execution of an SUID program.

The who parameter can take the values shown in Table 5-6. SUID programs are especially dangerous if they allow user interaction. but only if you are either the superuser or the owner of the file. chmod [-fR] [who]=permission file The option -f suppresses error messages. programs should have SUID status only if really necessary. must be processed with extreme care. chmod [-fR] [who]-permission file ▲ Reset permissions. All user input.3 IMPLEMENTING ACCESS CONTROL ON UNIX COMPUTERS 179 root.5. ▲ Add permissions. A discussion of octal permission values is beyond the scope of this chapter. including command line arguments (which are case sensitive in Unix) and environment variables. Table 5-6: Supported Values for Who Value u g o a Effect Changes the owner permissions Changes the group permissions Changes the other permissions Changes all permissions . but might also be able to change the system so that superuser status can be obtained on future occasions. Changing File Security Attributes You can change the permission bits with the chmod command. An attacker who can change the behavior of an SUID program—for example. The systems manager should carefully monitor the integrity of SUID programs. A particular pitfall is shell escapes. which give a user access to shell commands while running as superuser. by interrupting its execution—can not only perform actions that require superuser status during the attack. This command has four possible formats: ▲ Absolute mode: You identify the permissions using an octal number. Therefore. chmod [-fR] [who]+permission file ▲ Remove permissions. the option -R applies the specified change recursively to all subdirectories of the current directory.

. some versions of Unix only allow the superuser to run chown. This is a much more secure solution. That account is used by an attacker to perform malicious activities. the chgrp command changes the group of a file. The chown command could be a potential source of unwelcome SUID programs. The chown command changes the owner of a file. A user could create an SUID program and then change the owner to root. Some Linux distributions also allow you to change permissions through a file’s or folder’s properties. permissions aren’t checked when superuser attempts access. Tina changes the programs so that they are not SUID programs and modifies the permissions on the files the applications need. Remember. Other versions allow users to apply chown to their own files and have chown turn off the SUID and SGID bit. including reading confidential files. However. Tina works around this problem by making those programs SUID programs and setting the owner to root. To prevent such an attack. She has configured directory and file permissions so that users can access only their home directories. Similar considerations apply to chgrp. some programs that users run need to access files in other directories. For example. FOR EXAMPLE Beware of Setting Overly Strict Permissions Tina is a network administrator for a Unix system. Figure 5-16 shows the Permissions dialog for the Knoppix distribution. search permission for directories Execute permission only if the file is a directory or at least one execute bit is set Set-user-ID or set-group-ID permission Save text permission (set the sticky bit) The permission parameter can take the values shown in Table 5-7.180 AUTHORIZATION AND ACCESS CONTROL Table 5-7: Supported Values for Permission Value R W x X s T Effect Read permission Write permission Execute permission for files. An attack occurs in which a user account is granted superuser status.

2. Clicking Advanced Permissions allows you to set SUID. Figure 5-17 Advanced Permissions on Knoppix.3 IMPLEMENTING ACCESS CONTROL ON UNIX COMPUTERS 181 Figure 5-16 Change Permissions on Knoppix.5. and sticky bit attributes. . Identify the three categories of permissions on a file on a Unix computer. GUID. SELF-CHECK 1. as shown in Figure 5-17. Describe an SUID program and how it impacts security.

file system objects in Windows. KEY TERMS %systemroot% /etc/group file /etc/passwd file /etc/profile file Access control entry (ACE) Access control list (DAC) Access control list (ACL) (Windows) Access token Account Operators Active Directory forest Administrative shares Administrators Authorizing entity Backup Operators chgrp command chmod command chown command Clearance Custom role db_backupoperator role dbcreator role db_securityadmin role Discretionary access control (DAC) Discretionary access control list (DACL) Domain Admins Domain Computers Domain Controllers Domain Guests Domain Local group Domain Users Effective NTFS permissions Everyone group Fixed database role Fixed server role Global catalog Global catalog server Global group Group identity (GID) Group policy object (GPO) Groups Guests Hidden share Home directory Identity-based access control Impersonation token Inherited permission Inode ls command Mandatory access control (MAC) Mixed mode domain Native mode domain Need to know . MAC. You also learned how to implement access control for Active Directory objects. and RBAC. user rights assignments in Windows. and file system and device objects in Linux.182 AUTHORIZATION AND ACCESS CONTROL SUMMARY In this chapter you learned about three different access control models: DAC.

KEY TERMS 183 Nest Network Configuration Operators newgrp command NTFS permissions Object Organizational unit (OU) Permission attributes PID Primary token Principal Principle of least permission Principle of least privilege Print Operators Role Role-based access control (RBAC) root Rule-based access control Securable Security descriptor Security group Security identifier (SID) serveradmin role Server Operators set groupID (SGID) program set userID (SUID) program Share permissions Shared folder Sticky bit Subject superuser System access control list (SACL) Universal group User-directed discretionary access control User identity (UID) Users Well-known SID .

com/college/cole to evaluate your knowledge of authorization and access control. Which Active Directory security group type can be created only in a native mode domain? (a) Domain local (b) Global (c) Universal 6. each security principal has a unique _______________. The principle of least permission applies only to the RBAC model.184 AUTHORIZATION AND ACCESS CONTROL ASSESS YOUR UNDERSTANDING Go to www. When you deny a group permission to modify an object. Summary Questions 1. Which access control model uses an intermediate layer to determine access? (a) DAC (b) MAC (c) RBAC 2. which group type should be used to grant permissions? (a) Domain Local (b) Global (c) Universal 7. True or false? . Measure your learning by comparing pre-test and post-test results. (a) ACL (b) ACE (c) DACL (d) SID 5. Every Active Directory object has a security descriptor.wiley. True or false? 4. In an Active Directory environment. True or false? 8. On Windows. you add an ACE to the group’s DACL. Which access control model uses an object’s classification to determine its access? (a) DAC (b) MAC (c) RBAC 3.

owner. What is the UID for the superuser on a Unix computer? (a) -2 (b) 0 (c) 1 (d) 2 12. The file server has a folder named “Projects” that contains a subdirectory for each project. owner Applying This Chapter 1.APPLYING THIS CHAPTER 185 9. True or false? 13. Which of the following shows the order in which a Unix computer checks permissions when determining access? (a) group. Which character indicates that a right is not granted when it appears in a file inode’s permission list? (a) – (b) d (c) n (d) x 14. you should delete all administrative shares. What is the default share permission when you share a folder on a computer running Windows Server 2003? (a) Everyone Full Control (b) Everyone Read (c) Users Full Control (d) Users Read 10. . Project managers need to be able to read and modify the files for the projects they manage. group. other. other (b) other. group (c) owner. True or false? 11. To increase security on a Windows network. One project manager is assigned to each project. owner. other (d) group. Others will be accessed only by users working on specific tasks. Some folders will be used by everyone working on the project. A file server running Windows 2000 is a member of an Active Directory domain. A user on a Unix computer can be associated with 0 or more groups. The project manager also needs to be able to configure the access control for the files and folders within the project folder.

186 AUTHORIZATION AND ACCESS CONTROL (a) What access control model is best suited to meet the requirements? (b) What are two ways you can grant the project manager the necessary permissions? (c) What steps can you take to facilitate the project manager’s permission management? (d) Why shouldn’t the project manager just assign everyone on the project Modify access to the project folder? (e) One project manager assigns access permissions.tex -rws-x--x 1 root hr 2399 Dec 10 9:25 payroll.tex”? (c) What is the security vulnerability with the permissions assigned to “payroll. You run ls -l and the following listing is displayed: -rw-r--r-.1 steve hr 1617 Dec 9 13:01 salaries.exe.tex”? (b) Who can modify “salaries.exe drwx-----. You are troubleshooting file system permissions for a Unix file server.” if any? . then finds that some of the project team members cannot access the files they need.2 mike hr 512 Dec 12 17:44 hr/ (a) What access do members of the “hr” group have to “salaries. How can she troubleshoot the problem? (f) How can you ensure that Share permissions are always enforced when a team member accesses the file server? 2.

They can read the file. All users in the company need to be able to add files to the VacationRequests and Insurance subfolders of HR. There are members of Human Resources in each office. Members of the Sales department need to be able to read the CustomerDelinquency. There are also members of the Executive team and Sales department in each office.YOU TRY IT Configuring Access Control in an Active Directory Network You are an administrator for an Active Directory forest. 1. It is running Windows Server 2003 and is a member of the Chicago domain.tex. All accounting is done in the Chicago office. Users in the Accounts Payable department need to be able to read and modify files in the AP folder. what requirements must be met by the domain in which you create the Universal groups? 3. You run the commands. Only members of the HR department should be able to read any other files in the HR folder or its subfolders. You own a file named “project.xls file in the AP folder.” You want to ensure that all users can read the file and that all members of the projectA group can read and modify it. and HR. Members of the Executive team need to be able to read. A file server has three shared directories: AR. AP. but not write to. Design the group strategy to meet the requirements. Users in the Accounts Receivable department need to be able to read and write to files in the AR folder. The forest has three domains. but not modify. files in the CompanyInfo folder. 2. the files in the AR folder. 1. How would you configure permissions to grant the necessary permission to CompanyInfo and its subfolders? 4. What commands will you run to set the permissions? 2. but members of the projectA group cannot modify the file. one for each company location. What should you do? 187 . Temporary employees should not be able to read information in the CompanyConfidential subfolder of CompanyInfo. Use the RBAC security model and apply the principle of least permission. They need to be able to read. How would you prevent an attacker with physical access to the file server from logging on? Setting Permissions on a Unix Computer You are a user on a Unix computer. If you chose to use Universal groups.

com/college/cole to assess your knowledge of designing and implementing a secure network infrastructure.6 SECURING NETWORK TRANSMISSION Starting Point Go to www. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ Types of network attacks Design considerations Switches and Virtual Local Area Networks (VLANs) Secure Sockets Layer (SSL) and Transport Layer Security (TLS) IP security (IPsec) Secure Shell (SSH) Server Message Block signing (SMB signing) After Studying This Chapter.wiley. You’ll Be Able To ▲ ▲ ▲ ▲ Identify the threats to data being transferred over the network Analyze requirements for securing data transmission Segment a network to improve security Select the appropriate protocol to secure data being transmitted across a network ▲ Describe how SSL and TLS can be used to secure data on a network ▲ Describe how IPsec can be used to filter and secure data on a network ▲ Describe the security protections offered by SMB signing and SSH . Determine where you need to concentrate your effort.

Even internally. The server responds by sending an ACK . you are not in control of the devices that your data might pass over.1 Types of Attacks Attackers can eavesdrop on data by using a network monitoring tool commonly referred to as a packet sniffer. Attackers can exploit flaws in the firmware or take advantage of known default settings in these devices. the client initiates a three-way handshake with the server by sending a SYN message. 6. A detailed look at the other attacks is beyond the scope of this chapter. as well as the things you should consider when planning a security strategy for your network infrastructure.1 Analyzing Security Requirements for Network Traffic In this section you will learn about some types of attacks that your network traffic might encounter. You also need to consider how to physically secure network devices. You need to come up with a security strategy that reduces the risks associated with moving data across networks. For instance. or hub and misdirect packets.6. causing denial-of-service (DoS) attacks. 6. you might want to prevent sensitive types of data from being “accidentally” seen as it travels on the network.1. which is used for legitimate troubleshooting but can also be used maliciously by being placed on a compromised router or network between you and the data’s destination.1 ANALYZING SECURITY REQUIREMENTS FOR NETWORK TRAFFIC 189 INTRODUCTION Your network infrastructure is vulnerable to attack at many levels. we will explore the security risks involved in transmitting data over a network and the protocols available for reducing those risks. switch. you need to be concerned about the data that resides on physical devices and that passes through switches and routers on the network. but on a public network like the Internet. In this chapter. A SYN message is used to request sequence number synchronization. They can also launch a DoS attack against a device by trying to overwhelm it with large numbers of packets. the TCP SYN Flooding attack. TCP Session Hijacking During a normal TCP/IP (Transmission Control Protocol/Internet Protocol) session between a server and a client. it can be broken by someone who has physical access to network devices. Table 6-1 lists some common types of attacks to which your data is vulnerable. because no matter how strong your security. Physically securing your own devices is one thing. Attackers can take over the administration functionality of a router. Let’s take a closer look at what’s involved with a session hijacking attack and a special type of DoS attack.

This could mean changing the data in the packets. An attacker modifies a packet or data to impersonate another resource or person. An attacker sends an unusually large number of packets to the server or exploits a vulnerability that prevents legitimate users from accessing a resource. The messages contain sequence numbers so that the receiving computer can verify that the message is correct. session hijacking. The client then responds with an ACK to the server’s SYN. or forging information to attack network servers. Passwords that travel on the network unencrypted are viewed and used to infiltrate servers. . An attacker modifies data between the source and the destination. For example. This is used for man-in-the-middle attacks. Figure 6-1 SYN 200 Client ACK 201 SYN 400 Server ACK 401 TCP/IP session initiation. replays (attacks in which data is captured and replayed with or without modification). and packet tampering (an attack in which data packets are modified). or a file transfer. redirecting the packets. an email application. This exchange is shown in Figure 6-1. DoS attack Spoofing Data alteration (acknowledgement) message to the client’s SYN and a SYN message of its own.190 SECURING NETWORK TRANSMISSION Table 6-1: Common Attacks on Data Transferred across a Network Attacks Packet sniffing Description An attacker views confidential data contained in packets from a database application. the attacker forges return addresses on emails or source IP addresses on IP packets.

and thus the user does not need to supply a password for authentication). This process is illustrated in Figure 6-2. as they employ address-based authentication. B assumes that it has a connection with A.6. sending a packet with the client’s (A’s) address in the source field and a sequence number consistent with what B expects the sequence number to be. such as digital certifications. Most computers limit . instead. If trusted hosts also exist in the Internet. Remote shell is a Unix utility that allows you to execute shell commands remotely. the attacker opens a genuine connection to its target (B) and receives a sequence number. the firewall has to block all protocols that use TCP and addressbased authentication. This attack could be run in a Unix® environment. In a TCP session hijacking attack. where the attacker spoofs messages from a trusted host (a Unix host that is trusted because the user name is the same on both the local and remote computers. a firewall should block all TCP packets arriving from the Internet with a local source address. C cannot see the output from this session. but it might be able to execute commands with A’s privileges on the server B. This scheme works if all your trusted hosts are on the local network. The attack could also be run in an environment where authentication is not required. As a better solution. when in fact C is sending the packets. the server (B) stores the sequence number so that it can verify the ACK from the client. you could avoid address-based authentication entirely and use cryptographic authentication. If C guesses the right sequence number. To defend against this attack. TCP SYN Flooding Attacks After responding to the first SYN packet.1 ANALYZING SECURITY REQUIREMENTS FOR NETWORK TRAFFIC 191 Figure 6-2 I’m C SYN 200 Attacker C ACK 201 SYN 400 I’m A SYN 200 Server B ACK 201 SYN 400 Client (A) I’m A ACK 401 TCP session hijacking attack. assuming that users logging in from a trusted host have already been authenticated. Protocols such as remote shell (rsh) are vulnerable. The attacker (C) then impersonates the client (A).

This can range from setting up a point-to-point connection from the PC that is sending confidential data to the server to establishing a secure connection or tunnel between routers so all traffic that passes through the routers over the segment is encrypted. Another way to launch a SYN flood attack is to spoof the source address on the SYN packet (change the address to an IP address different than that of the computer actually sending the packet) so that the SYN-ACK is sent to a wrong or nonexistent address. you can configure most routers so to reject packets that have a source address on your internal network and that originate on your external network and packets that have a source address outside your internal network but that originate on your external network. until B reaches its half-open-connection limit and cannot respond to any new incoming requests. 6. so you will need to figure out what traffic requires security and the level of security that it requires. the attacker (C) could launch a SYN flooding attack against the client (A) so that A does not process the SYNACK packet from B and would not close the connection the attacker wants to open.2 Considerations for Designing a Secure Infrastructure You will need to determine what vulnerabilities will affect a company’s network and then consider the importance of the data along with the costs and the technical requirements to secure it. In a TCP SYN flooding attack.1. These connections are known as half-open connections. the attacker initiates a large number of TCP open requests (SYN packets) to B without completing the handshake. Identify the Compatibility Issues of the Operating Systems You Have Installed and the Applications Running on Them The version of the operating system or application you are running will affect what security options are available for transmitting data. Although there are no fail-safe countermeasures against a SYN flood attack. . Decide What Network Traffic Needs Securing Securing network traffic requires the use of CPU and network bandwidth. You will need to weigh the cost of upgrading the operating system or application with the cost of being less secure.192 SECURING NETWORK TRANSMISSION the number of connections that have not completed the handshake process and are in the SYN_RECV state to prevent these types of connections from consuming system resources. SYN filters can also be configured to reject a large number of SYN requests from the same IP address. The following sections discuss considerations that will help you in deciding what and how to secure data. As part of a TCP session hijacking attack.

there are some actions you need to take to mitigate the risk of an attack: ▲ Make sure that the data will not be read by any unauthorized individual between you and the source.3 Securely Transmitting Data If you decide that you need to securely transmit data over a network.1. ▲ Verify that the data will not be tampered with. Figure Out What Methods to Use to Secure Data that Will Be Transmitted across a Network Data is vulnerable as it moves across the physical devices and mediums on the network. Mainly. ▲ Verify or authenticate the identity of people (and/or computers) who will send packets.1 ANALYZING SECURITY REQUIREMENTS FOR NETWORK TRAFFIC 193 Make Sure that the Hardware Is Secure If the hardware is not secure. you will need to come up with a plan to securely transmit data across the network. You will also need to take into account laws that restrict encryption strength and exportation to countries where you will do business. You cannot trust devices that you do not exercise full control over.6. Securing the hardware means making sure you lock the wiring closets and control access to the server room. and choosing which method you will use to authenticate remote clients on the network. You can also add more security by using switches rather than hubs on the network. meaning the data in a packet won’t be changed by someone in between you and the packet’s source (known as a man-in-the-middle attack). 6. This might involve coming up with a method to encrypt the data you are transmitting. A switch controls the traffic going out so that it is directed to the device or segment attached to a specific port instead of sending all packets to all devices. Once you have decided what types of attacks your data is vulnerable to. it doesn’t really matter what security measures you are taking on the packets moving across your network. . so you will need to take appropriate precautions with your confidential data. you will need to figure out the identity of the person and/or computer that is transmitting the data and encrypt the data so it cannot be read on an insecure network. This might mean precluding data from being transmitted into these countries or using a separate physical network instead of the less expensive public network. making it harder for attackers to sniff packets on your network. verifying that the data has not been manipulated in transit.

SELF-CHECK 1. . The company values this data highly and estimates the cost of it falling into the hands of a competitor as very high. you need to consider the type of data being transferred. you might decide that you want to allow only members of the Research department to access the database server. Suppose. Identify the four types of network attacks. you might choose to use certificates for mutual authentication. You have several ways of meeting these goals. for example. Describe why you need to analyze the types of data being transferred on the network. firewalls. If the database server is running Microsoft® SQL Server 2005. that a company’s Research department frequently transfers company-confidential data between the researchers’ computers and a database server in the department. In this case. 2. authentication. You could also choose an encryption technology that would encrypt all data sent to the database server or all data on the network. such as security protocols for dial-up networking and virtual private networks are beyond the scope of this chapter. and the confidentiality.194 SECURING NETWORK TRANSMISSION FOR EXAMPLE Analyzing Traffic Security Requirements When analyzing data security requirements. You might also decide that you are going to encrypt all traffic that travels on the network within the research department. which computers the data must be transferred between. The rest of this chapter will discuss strategies for securing data on a local area network (LAN) or when accessing a web server. You can also segment your network using switches. you can choose to encrypt database traffic using SSL. you could isolate the Research department on its own network segment and use a firewall to prevent traffic originating outside the segment from being sent to the database server. and integrity requirements for the data. routers. To prevent an attacker from spoofing the database server. You can reduce the risks involved with transmitting data that must be secured by encrypting the data. Remote access security. authenticating the user. and signing the data. For example. and virtual LANs (VLANs).

Other examples of network perimeters are wireless access points or virtual private network (VPN) connections. DMZ stands for demilitarized zone.” Routers and firewalls can be used to screen the traffic that passes into and out of the screened subnet. the bastion host is specially designed to prevent attacks against the internal network. This configuration physically separates the internal network from the outside. . Bastion Host A bastion host acts as the only connection for computers on the internal network to use to access the Internet (or other external networks). There are typically three types of configurations that an organization can implement when securing its network perimeters: bastion host. The bastion host uses at least two network adapters: one is connected to the internal network while the other is connected to the external network. the attacker can gain access to the internal network. Business-to-business (B2B) services are typically run from this type of subnet. which is an isolated network segment at the point where a corporate network meets the Internet. or a remote access server. which is any point that connects the internal network to external networks. Its weakness is that it is a single point of failure. or back-to-back configuration. links to a satellite office. three-pronged configuration. An example of a bastion host is a computer sharing an Internet connection and providing NAT (Network Address Tramslation) services. also referred to as “the wild. The network perimeter is the part of any network that is most vulnerable to attack. The attack can be random or targeted.2 Defining Network Perimeters One way to secure a network is to isolate segments that have secure data transmission requirements. you should take great care to minimize your internal network’s exposure to the public network.2 DEFINING NETWORK PERIMETERS 195 6.6. such as a software development environment or a test network. When configured as a firewall. Let’s take a look at both of these options. One use of a screened subnet is as a protected area on the network used to run services that are shared outside of the organization. 6. should it be compromised. A screened subnet is also on the perimeter of a network.1 Isolating Insecure Networks Using Subnets Most organizations have a network perimeter. You can segment a network at Layer 3 using routers and subnets and at Layer 2 using switches and VLANs.2. Network perimeters include the network connection point to the Internet. such as a proxy server. This configuration is illustrated in Figure 6-3. Because of the prevalence of threats that affect public network access points. A DMZ is a type of screened subnet. Other uses of a screened subnet include isolating secure data on a segment or walling off a segment in which unsecure activity is common. Let’s take a look at each of these.

One way to do this is by using switches and configuring a virtual local area network (virtual LAN. one to the external or public network. This configuration allows for hosts from the public and internal networks to access the available resources in the screened subnet while continuing to isolate the internal network from the wild. or VLAN). 6. In some cases.2 Switches and VLANs When you segment a network using subnets. Three-pronged Configuration In a three-pronged configuration. For example. the firewall system has a minimum of three network adapters. One adapter will be connected to the internal network. This would require an attacker to breach both firewalls in order to compromise the internal network. Figure 6-5 shows an illustration of this configuration. you are limited by the IP addressing scheme. you might want to put a web server in a screened subnet.2. you might want to group computers into segments that are independent of their IP addresses. . Figure 6-4 depicts this configuration. This is probably the most secure configuration while still allowing for public resources to be accessed. and the third to a screened subnet. The screened subnet is connected through a firewall to the Internet on one end (similar to a bastion host) and is connected through another firewall to the internal network on the opposite end. Back-to-back Configuration The back-to-back configuration places the screened subnet between two firewalls.196 SECURING NETWORK TRANSMISSION Figure 6-3 Web Server Firewall Internet Corporate Network Bastion host.

6.2 DEFINING NETWORK PERIMETERS 197 Figure 6-4 Web Server Laptop Internet LAN Firewall Workstation Workstation Laptop Three-pronged configuration. Figure 6-5 Web Server Laptop Internet LAN Firewall Workstation Workstation Firewall Laptop Back-to-back configuration. .

By isolating computers in a network into separate VLANs. One way to do this is to create a screened subnet. an attacker is able to footprint the Quovadimus perimeter network. computers in other departmental VLANs would have to send requests through a router and be subject to any Layer 3 security measures. One type of attack. a VLAN has potential vulnerabilities. including those of the organization’s partners. For example. The attacker now can gain access to some or all of the services that are accessible. Like all security measures. VLANs operate at Layer 2 of the OSI model. The attacker researches the known vulnerabilities of the services that are running in the perimeter network and can now systematically attack the network. called VLAN hopping. The tagging protocol specified in 802. there is no time to develop a secure perimeter. you limit the broadcast domain.1Q is the most commonly used tagging protocol. Communication between VLANs must occur through a router. allows an attacker to bypass the VLAN boundary by modifying the VLAN ID (tag) on a packet. An attacker can also hop to another VLAN by gaining access to a native port. The CIO tells the network administrator to provide a partnering organization with access to the company’s data. Because you assign a host to a VLAN through software. the configuration can be based on actual data transfer requirements within the organization. The attacker now has enough information to create an entire diagram of the organization’s perimeter. You select a back-to-back configuration to ensure that your company’s internal network is more difficult for an attacker to access. A leak of confidential data causes the company to lose a competitive advantage and creates a loss of credibility with a key partner. You create a VLAN by associating the hosts in a specific VLAN with a tag (identifier for a specific VLAN). As a result of not properly preparing for this type of data access. you might create a separate VLAN for the Accounting department. Quovadimus also hosts its own web and mail servers that are accessible from the Internet.198 SECURING NETWORK TRANSMISSION FOR EXAMPLE The Importance of Perimeter Security Quovadimus Incorporated is a technology firm specializing in biotechnology. The CIO has promised the partnering organization that the data will be available to them within an hour. The CIO now tells you that you need to make the perimeter secure for data access by current partners and future partners. VLAN 1. such as firewalls. The attacker learns what operating systems and services are running on the perimeter network. The organization frequently works with educational and government institutions. Using basic techniques like port scanning. To communicate with members of the Accounting department. . A host that does not have a tag is associated with the default VLAN.

you should enable filtering on your servers.6. post security bulletins and updates that resolve issues found in their equipment. You should always consider the security features of a switch before making a purchase. 6. There are two types of filters that you can apply to your server: IP address filtering and IP packet filtering.2.3 Using IP Address and IP Packet Filtering As an added layer of protection. . at least visit the vendor sites frequently to look for updates. the configuration in Figure 6-6 allows only connections Figure 6-6 IP address filtering in IIS. such as Internet Information Services (IIS). Most vendors. Some web server applications. For example. allow you to filter the requests they accept based on a client’s IP address. If your budget does not allow you to upgrade to a new switch. IP Address Filtering IP address filtering involves filtering traffic based on the IP address of the client computer. Vendors are constantly making improvements that address vulnerabilities and common attacks. including Cisco. the Cisco® 3560-E series switches include a number of security features designed to make VLANs more secure by providing better isolation between ports and by adding access control lists (ACLs) to ports. For example.2 DEFINING NETWORK PERIMETERS 199 FOR EXAMPLE Keeping Your Switches Up-to-Date Another way you can secure your network is to upgrade your switches to the latest versions.

It had Microsoft Data Engine (MSDE) 2000 installed on it. Another way to filter traffic based on address is by installing and configuring a personal firewall. These filters. so you should still rely on additional forms of authentication for the users. so the Slammer worm was not able to infect the computer. or you can exclude all IP addresses and allow only the IP addresses listed. But this was not the case on this server. the server was vulnerable to attacks due to security holes that are inevitable in any product. When the Slammer worm hit. This is usually not much of a problem on a server that is actively maintained.Slammer Worm Attack Busicorp had a web server that had some of sample applications installed for development purposes. The server had filters enabled to allow this traffic. you can use IP packet filtering. prevented attacks. it is recommended that you filter all traffic except the traffic explicitly specified. the server was protected because it was not allowing packets to communicate with port UDP 1434. The patches would be installed and the vulnerability would be patched. File Transfer Protocol (FTP) based applications. but the web server did not have the latest SQL Server 2000 patches on the server installed.0 subnet and would be appropriate for an intranet website. along with the capability to authenticate with Active Directory®.200 SECURING NETWORK TRANSMISSION from the 192. You also need to realize that an IP address can be spoofed. You define a filter based on the protocols or port numbers. Busicorp had installed packet filtering on the box as part of the standard setup of the server. If you enable IP address filtering. and Simple Mail Transfer Protocol (SMTP) based applications. even though the applications were not properly maintained.10. Therefore.168. . FOR EXAMPLE Using Filters to Prevent a W32. This can be effective in guarding against packets for specific services that would not represent legitimate traffic to the server. IT knew that the computer would be used for web applications. by being totally exclusive of all traffic except the traffic Busicorp allowed. You generally have two options for configuring IP filtering: you can enable all traffic except traffic from the IP addresses listed. IP packet filtering prevents specific packets from reaching their destined ports on the server. IP Packet Filtering If you need a higher level of control than is available by preventing an IP address from communicating with your server.

NAT servers. Database or Email Server) Web Server Firewall Workstation SSL on a network. . For example HTTP over SSL uses port 443 by default. TLS. SMB signing. Describe a VLAN. we’ll look at several of these: SSL. encrypting.3 Data Transmission Protection Protocols Several protocols are available for authenticating. and SSH. and ensuring the integrity of data when it is transmitted across the network.3 DATA TRANSMISSION PROTECTION PROTOCOLS 201 SELF-CHECK 1. Figure 6-7 SSL Between the Web Client and the Web Server Internet Application Server (i. TLS is an enhancement of SSL. Therefore. a firewall between the Internet and a web server that uses SSL on its default port would need to allow incoming and outgoing traffic on port 443. Describe the three types of perimeter network configurations.3. 2. but all of our discussion of SSL relates to TLS as well. In this section.509 certificates (digital certificates). and other network devices without any special considerations other than making sure the proper ports are open on the device.. They can be used to secure clientto-server or server-to-server network traffic.1 SSL and TLS SSL and TLS are protocols that provide session encryption and integrity for packets sent from one computer to another. IPsec.6.e. They also provide authentication of the server to the client and (optionally) of the the client to the server through X. 6. 6. Figure 6-7 shows where SSL would typically be used on a network. SSL packets can be passed through firewalls.

The SSL Record Layer takes blocks from an upper-layer protocol. Figure 6-9 shows the messages exchanged between client and server. The SSL Handshake Protocol sets up the cryptographic parameters of the session state. Essentially. and a suggested compression algorithm. fragments these blocks into SSL Plaintext records. . and SHA as the hash function. shared secret keys. An example of a ClientHello message is shown in Figure 6-10. the SSL Record Layer provides the encryption services. The server replies with a ServerHello message and a certificate chain. as shown in Figure 6-8. such as Diffie-Hellman. the cipher that will be used. containing a random number. The client initiates the protocol run with a ClientHello message. including the session identifier. SSL works between the Application and Transport layers of the network protocol stack. triple DES (Data Encryption Standard) in CBC (cipher-block chaining) mode for encryption. we will step through a conversation in which the client authenticates the server. the server selects the cipher “TLS_RSA_WITH_3DES_ EDE_CBC_SHA” from the suggested suite.202 SECURING NETWORK TRANSMISSION Figure 6-8 application SSL TCP IP link The SSL Security layer. certifications. provided that the application or database management system supports SSL. However. Components in parentheses are optional. as shown in Figure 6-11. and random values used by protocols. To illustrate this protocol. a list of suggested ciphers (ordered according to the client’s preference). The most common use of SSL is between a web client and a web server because it is supported by web browsers and web servers on all platforms and has become the standard for encrypting HTTP traffic. the SSL Handshake Protocol and the SSL Record Layer. and then applies the cryptographic transformation defined by the cipher spec in the current session state. SSL Behind the Scenes SSL has two components. SSL can also be used to communicate with application or database servers. This selection means that RSA will be used for key exchange. In our example.

a label. Here.” ClientRandom || ServerRandom). PRF is shorthand for a more complex function based on MD5 and SHA that takes as inputs a secret. “master secret. the server would also request a certificate chain from the client. In our example. The client verifies the certificate chain to ensure that it trusts the certificate authority (CA) that issued the certificate or its root CA and then locally creates a random 48-byte PreMasterSecret. . and a seed.3 DATA TRANSMISSION PROTECTION PROTOCOLS 203 Figure 6-9 Client ClientHello ServerHello (Certificate) (ServerKeyExchange) (CertificateRequest) ServerHelloDone (Certificate) ClientKeyExchange (CertificateVerify) ChangeCipherSpec Finished ChangeCipherSpec Finished Server Application Data Application Data The SSL Handshake Protocol. The MasterSecret is the first 48 bytes of PRF (PreMasterSecret.6. If mutual authentication was required. no certificate is requested from the client. The symbol || means that Figure 6-10 M1: ClientHello: ClientRandom[28] Suggested Cipher Suites: TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_AES_128 _CBC_SHA Suggested Compression Algorithm: NONE ClientHello message.

the parties can easily distinguish between messages they send and messages they receive. The MasterSecret serves as input to the construction of a key block. Inc. All required encryption keys for client and server are extracted from the key block. Thus. The keys protecting traffic from client to server are different from the keys protecting traffic from server to client. you conducted the interviews as summarized in Table 6-2. This is a good choice because SSL is supported by most operating systems and devices. and they are not subject to reflection attacks where a message is replayed to its sender. You decide to enable SSL on the server running OWA. Server Done: the ClientRandom is concatenated with the ServerRandom. is a medium-sized company with about 700 employees located in 5 states in the United States. . it does not require special security settings on the client. During the design process. The client now transmits the PreMasterSecret to the server. The company is running Windows Server 2003 on its servers and is using Exchange Server 2003 and Active Directory. using the key management algorithm specified in the selected cipher suite and the server’s certified FOR EXAMPLE Designing for SSL on a Windows® Server 2003 Network Frankfurters. Also. It produces various meat products and is looking to allow access to email for its sales and executive staff throughout the nation.204 SECURING NETWORK TRANSMISSION Figure 6-11 M2: ServerHello: ServerRandom[28] Use Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA Session ID: 0xa00372d4XS Certificates: subjectAltName: SuperStoreVirtualOutlet PublicKey: 0x521aa593 … Issuer: SuperStoreHQ subjectAltName: SuperStoreHQ PublicKey: 0x9f400682 … Issuer: Verisign NONE ServerHello message.

The client verifies the hash in the server’s message. and other confidential information. We need to keep the cost low. from laptops issued by Frankfurters’s IT staff. We are looking at using the HTTP access in Exchange 2003 called Outlook® Web Access (OWA) because it looks easy to use and comes with Exchange 2003.3. client information. so we are looking at using the Internet and a national ISP to provide Internet access. The client should then immediately destroy the PreMasterSecret. The email contains important sales projections. The ChangeCipherSpec message indicates that subsequent records will be protected under the newly negotiated cipher suite and keys. so we need to make sure the solution can deliver the information securely over various network topologies. or through computers at other locations. the key block. which is equivalent to the OSI Network layer. The server decrypts the PremasterSecret and uses it to compute the MasterSecret. and all derived secret keys valid for this session with the client.3 DATA TRANSMISSION PROTECTION PROTOCOLS 205 Table 6-2: Interviews Interviewee CIO Interview Summary We want to provide email access wherever our sales staff or executives might travel and on whatever computer they might be using. Users might access their email from their home PCs. 6. The server verifies the hash appended to the client’s message and replies with a hashed ChangeCipherSpec response. Network Administrator Salespeople and Executives public key.6.2 IP Security (IPsec) IPsec is a security protocol that operates at the Internet layer of the TCP/IP protocol stack (see Figure 6-12). Both parties have now established shared secret keys which they can use to protect application traffic. and you need to protect this information in transit. . We do not want to deal with setting up software or configuration settings for security on the device we might use. The client then ties the third message to the first two through two hashes constructed with MD5 and SHA. We want a solution that is easy to use.

data integrity. IPsec includes two major security mechanisms: Authentication Header (AH). covered in RFC 2406. it is application-independent. Encapsulating Security Payload ESP can be used to provide confidentiality. In the 1990s. . described in RFC 2402. In fact. IPsec architecture is described in RFC 2401. Authentication Header AH protects the integrity and authenticity of IP packets but does not protect confidentiality. An ESP packet is shown in Figure 6-13. IPsec is required by the IPv6 specification. some replay protection. and it is now recommended that. you use ESP only. These export restrictions by and large have been lifted. data origin authentication. and Encapsulating Security Payload (ESP). IPsec can be configured to offer the following: ▲ ▲ ▲ ▲ ▲ Confidentiality Authentication Data integrity Packet filtering Protection against data reply attacks IPsec can be configured to use multiple security algorithm options. to simplify implementations of IPsec. export restrictions on encryption algorithms created the need for an authentication-only mechanism.206 SECURING NETWORK TRANSMISSION Figure 6-12 application transport IP IPsec sublayer link IPsec on the stack. in most cases. Applications do not need to provide support for IPsec. It was introduced primarily for political reasons. they are not aware of it at all. An administrator can decide which security algorithm to use for an application based on security requirements. IPsec is optional with IPv4 and is not implemented by all operating systems. Because it operates at the Internet layer. IPsec can be used to secure traffic on a LAN or on a VPN. and limited traffic flow confidentiality.

▲ Sequence number is an unsigned 32-bit field containing an increasing counter value. ▲ Padding is an optional field containing padding data for the encryption algorithm.6. An ESP packet contains the following fields: ▲ Security Parameters Index (SPI) is a 32-bit field that uniquely identifies the security association for the datagram. the length of the data to be encrypted has to be a multiple of the algorithm’s block size. A PDU is another word for a network message. The sequence number helps to avoid replay attacks. The fields after the payload data are the ESP trailer. The IP header is not encrypted. ▲ Pad length is a value that provides the length of the padding field. ▲ Authentication data is a variable number of 32-bit words containing an integrity check value (ICV) computed over the ESP packet minus the Authentication Data. and the security protocol (ESP). ▲ Next Header shows the next protocol field on the normal IP packet. Transport mode provides end-to-end . ▲ Payload data is a variable-length field containing the transport layer protocol data unit (PDU). this value must be included by the sender but might not be processed by the receiver. up the stack] is encapsulated. SPI and the sequence number constitute the ESP header. the upper-layer protocol frame [from TCP or UDP (User Datagram Protocol).3 DATA TRANSMISSION PROTECTION PROTOCOLS 207 Figure 6-13 Security Parameters Index (SPI) Sequence Number Payload Data (variable) scope of ICV Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) scope of encryption ESP packet. ESP Modes ESP can be configured to operate in one of two modes: ▲ Transport mode: In transport mode. the destination IP address.

. This mode can be used when IPsec processing is performed at security gateways on behalf of end hosts. headers TCP data original IP packet ESP original original IP header ext. header if present TCP data original IP packet hop-by-hop. IPsec security associations are defined in RFC 2401. routing. The end hosts need not be IPsec aware. you get traffic flow confidentiality as the inner IP datagram is not visible to intermediate routers. TCP data ESP trailer ESP auth encrypted authenticated Transport mode. This is illustrated in Figure 6-14. decrypt. protection of packets exchanged between two end hosts. The SA is the Figure 6-15 original IP header new IP header ext. header if present new ext.. fragment. The gateway could be a perimeter firewall or a router. Both nodes have to be IPsec aware. dest.208 SECURING NETWORK TRANSMISSION Figure 6-14 original IP header original IP header ext. This mode provides gateway-to-gateway security rather than end-to-end security. IP tunneling can therefore be described as IP within IP .. and the original source and destination addresses are hidden. opt. or verify an ESP packet a system has to know which algorithm and which key to use. headers TCP data ESP trailer ESP auth encrypted authenticated Tunnel mode. The original inner IP datagram is encapsulated within the outer IP datagram. This information is stored in a security association (SA). ▲ Tunnel mode: In tunnel mode (Figure 6-15) an entire datagram plus security fields are treated as a new payload of an outer IP datagram. ESP dest. On the other hand. Security Associations To generate.

IKEv2 offers enhancements to protect against certain types of DoS attacks aimed at using processor resources for negotiating security associations for a client that does not exist. It contains the relevant cryptographic data. keys. Fast negotiations take place over the secure channel established in phase 1. the Internet Key Exchange protocol (RFC 2409). IPsec security services are not tied to any particular key management protocol.6. The alternative to manual keying is IKE. Main mode and aggressive mode each give the choice of multiple authentication mechanisms. This phase involves heavy-duty entity authentication and key exchange. is defined in RFC 4306. SAs are usually created in pairs. In phase 2. Let’s wrap up our discussion of IPsec with a look at how you configure IPsec on a computer running Windows Server 2003. The shared secret is used to derive additional keys. The phase 1 protocol has two variants. algorithms for encryption. Thus. IKEv2. It also allows each participant to have a different key lifetime. several implementations of IKEv2 were available. a slow main mode (six messages) with more security guarantees. this protocol could be replaced without further repercussions on IPsec implementations. IKE operates in two phases. A new version. and a security protocol (AH or ESP) identifier. This works if the number of nodes is small. such as algorithm identifiers. as well as error and management traffic. Phase 1 sets up an SA as a secure channel to carry further SA negotiation. one in each direction. If a key management protocol were found to be flawed. key exchange method. or hash algorithms. At the time this book was written. the destination IP address. Each phase 1 agreement can have multiple phase 2 agreements.3 DATA TRANSMISSION PROTECTION PROTOCOLS 209 common state between two hosts for communication in one direction. and a faster aggressive mode (four messages). SAs for general use are negotiated. Bidirectional communication between two hosts requires two security associations. IKE is also responsible for the secure negotiation of all cryptographic algorithms. There can be a sequence number counter and an anti-replay window. Therefore. and key lifetimes. authentication method. The SA also tells whether tunnel mode or transport mode is used. . Internet Key Exchange Protocol SAs could be created manually. and multiple pairs of SAs can be negotiated during each phase 2 negotiation. but manually creating SAs does not scale to reasonably sized networks of IPsec-aware hosts. IPsec specifies authentication and encryption services independently of the key management protocols that set up the SAs and session keys. Two goals of IKE are entity authentication and the establishment of a fresh shared secret. An SA is uniquely identified by an SPI (carried in AH and ESP headers). IKEv2 is also designed to allow IPsec to work better through a NAT connection than IKEv1. for example.

You can click on the IP Security Policies section to reveal the information shown in Figure 6-16. On a production network. or Local Security Policy Microsoft Management Console (MMC) from the Administrative Tools section of the Start menu.210 SECURING NETWORK TRANSMISSION Configuring IPsec on a Windows Network You can enable and configure the IPsec protocol with Group Policy for Windows 2000 or later computers or through the Network Connection Wizard. 3. You can configure rules that a computer will follow in applying IPsec to outgoing and incoming packets. Domain Controller. This means that one of the previous two rules needs to be configured. . Server (Request Security): The server will request that an IPsec session be created with the client but will still establish a connection if the client does not support it. Windows Server 2003 has three built-in IPsec policies: 1. Server (Require Security): The server will only allow communication with clients that support IPsec. which is just a Figure 6-16 Default IPsec policies on a Windows Server 2003 computer. Client (Respond Only): The client will use IPsec if the server requests or requires it. you will most likely need to create a custom IPsec policy. These settings are located by navigating to the Security Settings section of the Group Policy console or by launching the Domain. The built-in policies are made up of a default set of rules and are mainly provided as examples or for very basic configurations. 2.

and file shares on a domain controller or server with SMB signing . ▲ The network interface that the IPsec policy applies to. printing. such as a VPN connection or specific network interface. The Edit Rule Properties dialog box for configuring IPsec is shown in Figure 6-17. You can create rules that define the following: ▲ A filter that decides what type of traffic (like HTTP or SMTP) to apply the IPsec policy to and optionally the destination or source address. which means that you can expect a slowdown when accessing an SMB resource like a file share. All Windows clients support it except for Windows 95 without the Active Directory client and Windows NT® pre–Service Pack 3. Windows XP. ▲ A filter action that defines what the policy should do when it matches the traffic type defined in the filter.3 DATA TRANSMISSION PROTECTION PROTOCOLS 211 collection of rules that define how communication should occur. and session hijacking attacks. Server Message Block (SMB) signing adds a keyed hash to each SMB packet. But SMB signing does nothing to protect the confidentiality of the data that is passing over the network connection. Kerberos or PKI certificates are the more secure choices but require additional infrastructure. SMB signing is enabled by default on a Windows 2000 Server. ▲ An authentication method that uses one of three mechanisms: Kerberos v5 protocol. Therefore.3. The preshared key does not require Kerberos or PKI infrastructure. the packets sent using SMB are not secure. but the same key must be entered on each computer. which could be compromised. By default. you are using the Server Message Block (SMB) protocol. it will not be able to connect to a server on which SMB signing is enabled. or a preshared key. This will prevent access to Group Policy. This could be requiring encryption for a protocol.6. The preshared key option is less secure because it is stored in the policy. replay. ▲ The means for exchanging keys over the Internet via IKE. This allows you to guard your network against man-in-the-middle. and Windows Server 2003. which is either tunnel or transport mode. public key infrastructure (PKI) certificate. you should use preshared keys for testing purposes only. If SMB signing is not enabled on the client.3 Server Message Block Signing If you access files over a network share on a Windows server. or blocking all traffic from a protocol. Signing requires that every packet be signed and verified. 6. permitting all traffic. ▲ The type of IPsec connection.

The purpose of each of these utilities is beyond the scope of this chapter.4 Secure Shell Remote users often rely on remote login programs. then segment all computers that they need to communicate with in their own organizational unit (OU) and apply the following Group Policy setting to the OU Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Microsoft Network Server: Digitally sign communications (always) ϭ Disabled (see Figure 6-18). ftp. If you have computers that must run these operating systems. rlogin. 6. SSH is . and so on. maintained by the Internet Engineering Task Force. enabled. This can also be applied to a domain. addresses this issue with remote login programs such as Telnet and ftp. but it will increase the risk of the attacks mentioned earlier. IPsec provides a mechanism to sign all IP traffic and would be a better choice for heterogeneous networks. for attaining connectivity to host machines for application needs. These programs transmit data in clear text.212 SECURING NETWORK TRANSMISSION Figure 6-17 Creating IPsec rules on a Windows Server 2003 computer. Secure Shell (SSH). such as rsh. rcp.3. SSH services have comparatively higher security than services such as Telnet.

and remote system administration.6. now available as the standard for remote computer logins. including DES. 3-DES. SSH-2 includes the following features: ▲ Complete replacement of conventional remote login programs. and AES. SSH services use public key encryption schemes for providing data confidentiality and authentication. . SSH-1 is susceptible to man-in-the-middle attacks and should not be used. Although SSH services are most suitable and intended for Unix and Linux operating systems. sshd. non-Unix operating systems. ▲ Support for multiple encryption algorithms. with their security-compatible counterparts. and so on. and ssh-agent. such as scp. ▲ High-end security algorithms tailored to detect identity spoofing such as IP spoofing and other security threats. Telnet.3 DATA TRANSMISSION PROTECTION PROTOCOLS 213 Figure 6-18 Allowing connections from clients that don’t support SMB signing. The SSH service has been released in two different versions. secure file transfers. sftp. Instead. you should use SSH-2 when secure remote login is required. rlogin. also support it. Typical applications of SSH include remote access to computer resources over the Internet. such as ftp. such as Windows and Macintosh®.

You can create a filter that allows only specific client computers to access the server and that requires those communications to be encrypted. SELF-CHECK 1. ▲ Multiple sessions for multiple terminal windows through one secure (authentication and encryption) connection. Windows 95. For example. List the protections offered by SMB signing. One issue you might encounter is that some operating systems do not support IPsec. ▲ Authentication through key pairs generated by RSA or Digital Signature Algorithm (DSA). If this is your goal. you would configure a filter for the protocol and optionally the source computers and specify a filter action or block. DSA is a standard for generating digital signatures. Describe the two modes supported by ESP. and Windows Me support IPsec only for VPN connections. routers. not for LAN connections. and firewalls. SUMMARY In this chapter you learned how to secure data on the network. 2. . Windows 98. List the network protocols that provide data confidentiality. 3. In this case. you can use IPsec in tunnel mode to secure communications between a server and another end point. First you learned about some attacks that can be launched over the network and some things to keep in mind when securing your network infrastructure. You would not need to create any security associations because the packets would be rejected. Another way you can use IPsec to secure data on a network is to secure communication with a server that contains confidential data. Next you learned about segmenting your network physically using subnets.214 SECURING NETWORK TRANSMISSION FOR EXAMPLE Using IPsec to Secure a Subnet One way IPsec can be used effectively is to block protocols destined for one or more computers.

TLS. and SSH. Finally.KEY TERMS 215 and logically. using VLANs. you learned about protocols that can be used to secure data on the network. KEY TERMS 802. IPsec. You also learned how to protect a server from network attacks by filtering packets based on IP address or protocol. These include SSL.1Q Acknowledgement (ACK) message Authentication data Authentication Header (AH) Back-to-back configuration Bastion host Broadcast domain ChangeCipherSpec message Cipher spec ClientHello message Countermeasures Demilitarized zone (DMZ) Denial of Service (DoS) attack Digital Signature Algorithm (DSA) Encapsulating Security Payload (ESP) Footprint Gateway-to-gateway security Half-open connections IKEv2 Integrity Check Value (ICV) Internet Key Exchange (IKE) protocol IP address filtering IP packet filtering IPsec policy IP Security (IPsec) IP within IP Key block MasterSecret Next Header Packet sniffer Packet tampering Padding Pad length Payload data PreMasterSecret Protocol data unit (PDU) Remote shell (rsh) Replays RFC 2401 RFC 2402 RFC 2406 RFC 2409 RFC 4306 Screened subnet Secure Sockets Layer (SSL) Security Association (SA) Security Parameters Index (SPI) Sequence number ServerHello Server Message Block (SMB) Server Message Block (SMB) signing SSH SSL Handshake Protocol SSL Plaintext records SSL Record Layer Switch . SMB signing.

216 SECURING NETWORK TRANSMISSION SYN message Tag TCP session hijacking TCP SYN flooding attack The wild Three-pronged configuration Transport Layer Security (TLS) Transport mode Trusted host Tunnel mode Virtual local area network (VLAN) VLAN hopping VLAN ID VLAN .

Which perimeter configuration requires two separate firewalls? (a) back-to-back configuration (b) bastion host (c) three-pronged configuration 5. Which encryption protocol requires application support on both the server and the client? (a) IPsec AH (b) IPsec ESP (c) SSL (d) SMB signing 8. A host that is not assigned to a VLAN is automatically assigned to VLAN 1. Summary Questions 1. Which of the following is a denial-of-service attack? (a) man-in-the middle (b) replay attack (c) TCP SYN flooding (d) TCP session hijacking 3. When designing security for a network infrastructure. In a bastion host configuration.wiley. True or false? to evaluate your knowledge of designing and implementing a secure network infrastructure. True or false? 4. it is not necessary to enable protocol filters on any servers. What type of attack involves an attacker impersonating a legitimate client in order to execute commands on a server? (a) TCP SYN flooding (b) TCP session hijacking (c) brute force (d) phishing 2. SSL requires a digital certificate on both the server and the client. you should plan to use the strongest encryption possible for all data. True or false? 6.SUMMARY QUESTIONS 217 ASSESS YOUR UNDERSTANDING Go to www. True or false? . Measure your learning by comparing pre-test and post-test results.

218 SECURING NETWORK TRANSMISSION 9. Customers currently upload their records to an FTP server hosted by Busicorp’s ISP . Busicorp provides accounting. Busicorp’s network is configured as a single subnet with a bastion host firewall providing perimeter protection between the internal network and the Internet. The data is then retrieved and manipulated by one of 4 accountants. After the records have been uploaded. True or false? Applying This Chapter 1. (a) Which threat or threats provide(s) the greatest risk to customer accounting data? (b) What step could you take to secure the data while it is being transmitted by the customer? . Which of the following protections is NOT provided by IPsec AH? (a) authentication (b) confidentiality (c) integrity 10. reporting. web development. The accountants handle accounts receivable. Which default Windows IPsec policy can only be configured if all clients that need to communicate with the server support IPsec? (a) Client (Respond only) (b) Server (Request security) (c) Server (Require security) 13. Which IPsec mode requires that both the source and the destination computer be Ipsec-aware? (a) transport mode (b) tunnel mode 11. SSH is only supported on Unix and Linux operating systems. The CEO is concerned about the company’s liability if customer records were obtained. No other Busicorp employees should have access to the data. accounts payable. they are downloaded by one of 10 data entry people and entered into a database. Which protection or protections is provided by SMB signing? (a) authentication only (b) authentication and confidentiality (c) integrity only (d) authentication and integrity 14. A bidirectional IPsec conversation requires two security associations. True or false? 12. and marketing services for over 200 small businesses. and tax form generation for the companies.

(g) What would prevent you from using SSL? . (d) Why is a back-to-back configuration more secure than a threepronged configuration? (e) What steps involving the network can you take to protect the database server? (f ) What steps can you take to protect the data when it is being transmitted between the database server and the accountants’ computers? Select an option that will provide end-to-end confidentiality.APPLING THIS CHAPTER 219 (c) How could you change your network segments to protect the data before it is downloaded by data entry personnel? Choose the most secure option.

0 with Service Pack 6 and SQL Server 7. nurses. including appointments. 1. What users need access to the patient medical records? 4. and authentication for prescription refill requests? 220 . What upgrades are required to use SMB signing between the database server and the administrators’ computers? 7. Which data requires the best integrity protection? 3. and billing data.0. Why might you want to modify the configuration so that patient appointments are stored on a separate database server? 6. The company wants to enable patients to schedule appointments and submit requests for prescription refills over the Internet.YOU TRY IT Designing Network Infrastructure Security You have been hired by a medical clinic to improve the security of its network. The network is currently configured as an Active Directory domain. billing data. How can you protect the confidentiality. and administrators. A single database server stores patient data. clerical personnel. medical records. You must analyze the data transmission security requirements and make suggestions for improving security. Administrators need access to insurance policy data. Why might you want to modify the configuration so that patient medical records are stored on a separate database server? 5. The medical clinic personnel includes doctors. It is running Windows NT 4. integrity. Clerical personnel need access to patient appointments. including the inventory of controlled substances. Could you use IPsec to provide end-to-end confidentiality for when doctors access patient records? Why or why not? 8. Which data requires the best confidentiality protection? 2. Only doctors and nurses need access to patient medical data. Client computers are running a mix of Windows XP Professional and Windows 98 with the Active Directory client. and medical inventory data. What is the most secure network configuration for offering the new Internet services for patients? 9.

You’ll Be Able To ▲ ▲ ▲ ▲ ▲ Choose the most appropriate remote access authentication protocol Limit access to a dial-up connection Select a tunneling protocol for a VPN connection Describe how RADIUS and TACACS can centralize authentication policies Implement security for a wireless network . What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ Remote access authentication methods How to limit dial-up access Virtual private networks (VPNs) RADIUS and TACACS Wireless network security After Studying This Chapter.7 REMOTE ACCESS AND WIRELESS SECURITY Starting Point Go to www.wiley. Determine where you need to concentrate your to assess your knowledge of designing and implementing a secure remote access and wireless network infrastructure.



Maintaining data security is becoming increasingly important as more organizations establish network links between themselves to share information and increase productivity, and as more employees are allowed to work from home. In addition, a number of businesses are taking advantage of the convenience offered by wireless networking. With these conveniences come potential security risks because network links open additional points of entry to your wired local area network (LAN). Another concern, especially with wireless networks, is that data can be intercepted easily unless it is encrypted. This chapter begins with a look at the most traditional way of accessing a LAN from a computer outside the physical network: the dial-up connection. Next the chapter looks at how to implement a virtual private network (VPN) to allow users to tunnel through the Internet to access your company network. From there, the chapter discusses how you can centralize authentication when supporting multiple remote access and wireless entry points to your network. The chapter concludes with a discussion of wireless networking and the protocols available for securely implementing a wireless network segment.

7.1 Dial-up Networking
The traditional way to allow a remote user to access an internal connection is to equip both the client computer and a remote access server (RAS) with a dial-up modem. The client computer uses a traditional phone line to dial in a connection to the server. The server attempts to authenticate the user and either allows or refuses access to the network. This section looks at the dial-up protocols that operate at the Data Link layer of the OSI model. The chapter then compares the remote access authentication protocols available. Finally, the chapter discusses some steps that can be taken when configuring a computer running Windows Server 2003 as an RAS to limit which users can access the network through a dial-up connection.

7.1.1 Dial-up Networking Protocols

Early RASs used Serial Line Internet Protocol (SLIP) to provide dial-up access. SLIP can only be used to send Internet Protocol (IP) packets and was commonly used to access UNIX servers. SLIP is considered a legacy protocol. Most modern RASs use Point-to-Point Protocol (PPP). PPP allows you to transmit data sent using multiple protocols, including IP and IPX, over a dial-up connection. It does this by encapsulating the datagrams of other protocols. The following are some subprotocols that PPP uses:



▲ Link Control Protocol (LCP): a protocol that accommodates limits on packet sizes, sets up encapsulation options, and optionally negotiates peer-to-peer authentication. ▲ Network Control Protocol (NCP): a protocol for configuring, managing, and testing data links. This discussion will focus on securing PPP dial-up connections by selecting the most secure authentication protocol supported by both the client and the server.
7.1.2 Dial-up Networking Authentication Protocols

The PPP specification uses no particular authentication protocol as a standard. Which authentication protocol will be used is negotiated using LCP during the link establishment phase. During this phase, the two devices establish specific network parameters like the size of a frame, whether to use compression, and the authentication protocol to use for validating the user. A number of authentication protocols are available. The protocol or protocols you choose will depend on the protocols supported by both the client and RAS operating systems. Let’s look first at the individual protocols and then discuss some guidelines for choosing which to use.
Password Authentication Protocol (PAP)

With Password Authentication Protocol (PAP), the user ID and password are transmitted in clear text to the server, where they are compared to the username and password stored on the server. This is not a secure way to authenticate a user and should be avoided in most environments.
Shiva Password Authentication Protocol (SPAP)

Shiva Password Authentication Protocol (SPAP) was developed for the Shiva LAN Rover product. It transmits the password in a reversible encryption format. Reversible encryption uses an encryption method that can be decrypted by an application. This means that this protocol is subject to replay and server impersonation attacks. Protocols that depend on reversible encryption should only be used when there is no other option for supporting the remote access clients. The password encryption is also easy to break. This protocol should be enabled only for backward compatibility with devices that support only SPAP.
Challenge Handshake Authentication Protocol (CHAP)

Challenge Handshake Authentication Protocol (CHAP) is the industry standard protocol for performing PPP authentication and is popular among Internet service providers (ISPs). CHAP is defined in RFC 1994. The CHAP protocol uses challenge-and-response for validating the user. This process is illustrated in Figure 7-1. When the client and server try to



Figure 7-1 1 Client requests connection 4 Server generates Hash (challenge + password) and either grants or refuses access


Server sends challenge 2 (random number + session number) Client sends response Hash (challenge + password)

Remote Access Server



initialize a PPP session, the server sends a challenge to the client in the form of a random number and a session number. The client concatenates the user’s password onto the challenge and hashes it using a Message-Digest 5 (MD5) algorithm with a shared secret to generate a 128-bit response. This response is sometimes referred to as a one-way hash. With a one-way hash, there is no way to determine the information in the hash from the hash itself. The server compares the hash that it receives with the one it generates. In the case of a Windows® Server 2003 Routing and Remote Access Service (RRAS) server that is a member of an Active Directory® domain, the server makes a request to the domain controller for the user’s password and concatenates it to the challenge it sent to the client. It then hashes the challenge and compares it with the response it receives from the client. If they match, the user is authenticated and a PPP data connection is established to the RRAS server. This process is illustrated in Figure 7-2. The shared secret for the hash algorithm should not be sent over the network connection, or it should be encrypted by setting up a trust between the client and the server, which would establish a key on both sides through some mechanism not defined in the CHAP protocol. The secret can be variable (just as long as the server and client stay in sync) to discourage replay attacks. The secret can also allow for setting a time limit of use between challenges so that it will expire, and limiting the time of exposure to a single attack because the attacker would need to figure out the new secret. The advantage to using the CHAP protocol for authentication is that it is a standard supported by many platforms. A disadvantage of CHAP is that it requires you to store the passwords in a reversible encryption format so that the password can be decrypted before it is concatenated to the challenge and hashed for comparison with the client’s response. This makes the server susceptible to attackers using tools like l0phtcrack. If you must use reversible encryption, make sure you secure all copies of your accounts database, including backups, and that you limit physical access to the server. Another drawback on an Active Directory network is that the passwords are passed over the network to the RRAS



Figure 7-2 1 Client requests connection 6 Server generates Hash (challenge + password) and either grants or refuses access


Server sends challenge 2 (random number + session number) Client sends response Hash (challenge + password) Request password 4

Remote Access Server


Password sent in clear text 5

Domain Controller

RRAS server in a domain.

server, making them susceptible to attack, so you will need to consider encrypting the connection between the domain controller and the RRAS server.
Microsoft ® Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is Microsoft’s version of CHAP. It uses the MD4 algorithm to generate the hash. It also provides a mechanism for changing passwords and reporting errors with the authentication process. MS-CHAP was developed for Windows 3.1 and the original version of Windows 95. One drawback to MS-CHAP is that it sends two parallel hashes: LAN Manager and NT LAN Manager (NTLM). The LAN Manager hash is weaker and easily broken. MS-CHAP also does not authenticate the server, so it is subject to man-in-the-middle attacks and replay attacks. MS-CHAP is defined in RFC 2488, entitled Microsoft PPP CHAP Extensions.
Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2)

In response to security issues discovered in the MS-CHAP protocol, Microsoft released Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2). This is the strongest password-based protocol supported by



Windows Server 2003 for remote access and should be used whenever possible if smart cards or certificates are not an option. MS-CHAPv2 disables LAN Manager Security, which means that the original Windows 95 and older clients will not be able to authenticate. It uses a 16-byte authenticator response to verify that the Windows Server 2003 RRAS server is responding with a SUCCESS message. These and other improvements make MS-CHAPv2 fairly strong, but it still suffers from being based on user password complexity, like other forms of password authentication.
Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is a standard way of adding additional authentication protocols to PPP. EAP provides support for certificate-based authentication, smart cards, and other protocols like RSA’s SecurID. It allows third-party companies to provide even stronger authentication protocols to meet your company’s security needs. Windows Server 2003 comes with an EAP package for smart cards called EAP-Transport Layer Security (EAP-TLS). It also includes another EAP package, MD5-Challenge. MD5-Challenge is a test package used to troubleshoot EAP connections and should not be used in a production environment.
Choosing an Authentication Strategy

There are some things you need to consider when designing authentication security for a remote access infrastructure. You should avoid the use of PAP or SPAP on your RRAS server. Both of these protocols send the password over the wire (PAP as clear text and SPAP using reversible encryption), which means the password can be captured and cracked. You are better off using one of the versions of CHAP or EAP. Due to security problems with MS-CHAP, you should use EAP or MS-CHAPv2 for authentication when possible. If you need to enable reversible encryption to support CHAP, you should try to minimize the number of accounts affected by enabling it for specific users only. You would also want to make sure that these users have difficult passwords to guard against brute force attacks or dictionary attacks on the passwords. Consider the following when choosing an authentication strategy: ▲ You should choose EAP using smart cards to provide for two-factor authentication. Smart cards validate the user with a certificate in combination with the user’s password or PIN. If the person trying to authenticate does not have both, then he or she will not be authenticated. The drawback of EAP is that it requires a public key infrastructure (PKI), which means higher management costs and more complexity in the network infrastructure. ▲ You should choose MS-CHAPv2 in an environment in which you have Windows 98 or more recent clients and do not want to maintain a complex PKI.



▲ You should choose CHAP when you need to support a diverse set of operating systems and devices and do not require strong security.
Enabling Reversible Encryption

If you must use CHAP to integrate with third-party products or non-Windows clients that do not support MS-CHAPv2 or a common EAP mechanism, you need to enable reversible encryption in Windows Server 2003 Active Directory. This is done in one of two ways: by using the Account tab on the user’s Properties dialog box or by using the Domain Security Policy snap-in. To enable reversible encryption from the user’s Properties dialog box, open the Active Directory Users and Computers snap-in, right-click the user account and choose Properties from the context menu. In the user’s Properties dialog box, select the Account tab. Then select the Store password using reversible encryption option in the Account options list box, as shown in Figure 7-3. Finally, click OK to enable reversible encryption. To enable reversible encryption from the Domain Policy snap-in, open the Domain Security Policy snap-in (you could also do this in the default domain
Figure 7-3

Enabling reversible encryption on the user account.



Designing a Dial-up Networking Strategy Busicorp wants to allow its web developers to work from home three days a week. It also needs to allow salespeople to connect to the network when they travel. All client computers are running Windows XP Professional. Employees need to access various servers on the network. Busicorp also wants to allow customers to dial-in to a server to upload their financial data as an alternative to uploading it to FTP. Some customers have Linux computers. Others are running Windows 98 and Windows XP. The customers have user accounts in the Customers organizational unit in the Active Directory domain. You need to create a secure dial-up solution. The company does not have a PKI. You install RRAS on two different domain members. You configure one RRAS server to support only MS-CHAPv2 as the authentication protocol. You enable a remote access policy that allows access only to the telecommuters and salespeople. You configure the second RRAS server to support CHAP and MS-CHAPv2. You enable reversible encryption only for the customers who require connectivity from operating systems that do not support MS-CHAPv2. You disable IP routing to prevent the customers from connecting to any other server on the network.

Group Policy object). Expand Security Settings and then Account Policies and select Password Policy. Then, enable the Store passwords using reversible encryption for all users in the domain policy.
7.1.3 Limiting Dial-up Access

Another way to protect the dial-up server is to limit the users who are allowed dial-in access and the circumstances under which they can connect. The following are some conditions you might use to determine whether a user can connect: ▲ Windows group membership ▲ Day of the week or time of day ▲ Phone number the user is calling from On an Active Directory network, you can set properties on the Dial-in tab (see Figure 7-4 of a user account to determine whether or not the user is allowed access. You can also specify a callback option. If you want to ensure that a user can only dial in from a specific phone number, you would set the option to



Figure 7-4

The Dial-in tab.

Always Callback to and enter the phone number. The RRAS server will dial the client back at the specified number. This provides good security protection, provided the client always dials in from a specific number, but is not suitable as a security measure for remote users who travel or who might dial in from multiple phone numbers. An alternate way to ensure that users always call from the same number is to enable the Verify Caller-ID option. In a native-mode domain, you can define Remote Access policies to determine the circumstances under which a user can connect. For example, you can limit dial-up connections to a specific Windows group, like the Telecommuters group, and allow connections only during specific days and times.
7.1.4 Preventing Access to the Network

You might want to create an RAS that provides resources to dial-in clients but that does not allow access to the rest of the network. With Windows Server 2003 RRAS, you can do this by launching the Routing and Remote Access console, opening the Properties dialog box for the server to the IP tab, and clearing the check mark from Enable IP routing, as shown in Figure 7-5.



Figure 7-5

Preventing access to the network.

1. Describe the remote access authentication protocols. 2. What should you consider when choosing an authentication strategy?

7.2 Virtual Private Networks
A virtual private network (VPN) is a secure tunnel through a non-secure network, such as the Internet. Companies typically use VPNs to allow access to remote users (see Figure 7-6) or to connect multiple remote locations. Companies might also use a VPN to provide secure access to network resources for its trusted customers or vendors. VPNs offer better performance than dial-up connections because users can take advantage of broadband Internet connections. VPNs offer connectivity between offices without the



Figure 7-6



Remote User Remote user connecting to a VPN.

Corporate Site

expense of dedicated lines because the traffic travels across the infrastructure of the Internet. In this section, we discuss two protocols for implementing a VPN: Pointto-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) with IP security (IPsec). Users connecting through a VPN connection are authenticated using the dial-up networking authentication methods already discussed.
7.2.1 Point-to-Point Tunneling Protocol

You can use Point-to-Point Tunneling Protocol (PPTP) to enable an encrypted session between two computers. PPTP tunnels PPP over a network like the Internet. This means that you can use the PPP infrastructure and authentication mechanisms to provide secure access to your internal network for partners or employees over the Internet or private connections in much the same way as you can use dial-up access over a modem. PPTP was developed and standardized by Microsoft to provide a simple mechanism to create a VPN with Windows NT® 4, Windows 9x, and later clients. Microsoft decided to take advantage of the PPP support in the Windows NT 4 RAS to authenticate the PPTP session. The resulting session key from the authentication process is used to encrypt the packets that are sent across the tunnel. Encryption is not enabled by default for PPTP, so you will need to enable it through the Security tab of the user’s Properties dialog box, as shown in Figure 7-7. PPTP is a Layer 2 tunneling protocol that encapsulates PPP packets into IP datagrams by adding a Generic Routing Encapsulation (GRE) header and an IP header. The resulting datagram can be routed over IP-based networks and takes advantage of the authentication, compression, and encryption services provided by PPP. PPTP allows you to encrypt traffic using the Microsoft Point-to-Point



Figure 7-7

Enabling PPTP encryption on a Windows Server 2003 computer.

Encryption (MPPE) protocol. The session keys for encrypting the traffic are generated from the MS-CHAP or EAP passwords; therefore, you must be using MSCHAP , MS-CHAPv2, or EAP to support encryption with PPTP . A diagram of PPTP encapsulation is shown in Figure 7-8.

Figure 7-8 IP header GRE header PPP header Encrypted datagram

PPP Frame PPTP encapsulation.

PPTP will traverse all Network Address Translation (NAT) devices because it encapsulates PPP packets inside an IP packet.2 VIRTUAL PRIVATE NETWORKS 233 The advantages of using PPTP are that it has widespread adoption in Microsoft operating systems and that it is easy to set up on any Windows platform without special downloads. This means that you can use PPTP to establish a tunnel through a NAT server that does not support NAT–Traversal. This also means that if an attacker were to obtain a user’s password. L2TP provides tunneling and authentication. so you should use it only when you need user authentication and not computer authentication. IPsec then encrypts the resulting L2TP frame and the IPsec Encapsulating Security Payload (ESP) trailer. Its encryption strength is essentially tied to the strength of the password. L2TP/IPsec is more secure than PPTP because it authenticates both the computer and the user.7. More recent Windows RRAS servers support both PPTP and L2TP. and utilizes IPsec to provide encryption. and does not care if the IP address is changed on the packet. Computer authentication can be performed through Figure 7-9 Encrypted by IPsec IP IPsec ESP UDP L2TP PPP IPsec ESP IPsec Authentication IP or IPX datagram header header header header header trailer trailer PPP Frame L2TP encapsulation.2 L2TP and IPsec Layer 2 Tunneling Protocol (L2TP) is an industry-standard tunneling protocol.2. . L2TP adds an L2TP header and a UDP header to the PPP frame. 7. does not provide IP packet integrity. The L2TP encapsulation is shown in Figure 7-9. PPTP supports authenticating users but not computers. You would need to verify that the device with which you need to set up a PPTP session supports the protocol. As you can see. NAT–Traversal will be described a little later in the chapter. it is not as widely or as well supported by other operating systems and devices. Another weakness is in the way PPTP handles encryption. Although support on the Windows platform is strong. There are downfalls associated with using PPTP. so you will want to make sure you have strong password policies if you need to use PPTP. the attacker might be able to use this information to decrypt the session. It is also the only way you can set up a VPN connection to a Windows NT 4 RAS server without third-party software.

it will not be rejected on the other end of the connection. To determine the appropriate Cisco solution. NAT–Traversal is an Internet Engineering Task Force (IETF) draft standard that uses User Datagram Protocol (UDP) encapsulation. Because Cisco devices support both IPsec and SSL. Let’s take a brief look at each option. you can determine which clients should be configured to use each protocol. However. it will cause the packet to be rejected by the client on the other end. if client software can be downloaded. L2TP/IPsec is supported natively on computers running Windows 2000 and later. or if clients need to access resources through a browser interface. L2TP/IPsec also provides stronger encryption than PPTP. the certificates must be installed on the RAS and the client computers. You can set up a point-to-point connection with IPSec through a Windows Server 2003 used as a NAT server if the client supports NAT–Traversal also. The NAT device can then change the UDP/IP header’s IP address or port number without changing the contents of the IPSec packet. Because NAT needs to alter the IP address in the packet. Windows Server 2003 and some other NAT devices support NAT–Traversal of IPsec packets. one problem that might prevent you from using L2TP/IPsec for a VPN tunnel is that some NAT devices are not able to support it.234 REMOTE ACCESS AND WIRELESS SECURITY either pre-shared keys or certificates. 7. SSL VPN Clients There are two access methods for SSL VPN clients: via a web browser or via dynamically downloaded client software. This means that IPsec is a good choice when providing VPN access to employees who always access the network from a company computer. Juniper Networks® also provides both IPsec and SSL VPN appliances. This means that the IPsec packet is wrapped inside a UDP/IP header.3 Hardware VPN Solutions Cisco® offers hardware VPN solutions that provide both IPsec and Secure Sockets Layer (SSL) encryption. the features required. You can support Windows 98 and Windows Me clients by installing the L2TP client software. A number of Cisco routers and switches support VPN features. and the company’s budget.2. If authentication is performed using certificates. IPsec VPN Clients An IPsec VPN client must be configured using preinstalled client software. you need to consider the number of connections requiring support. therefore. the throughput requirements. whether the client software can be preinstalled. Your client access configuration choices will be determined by how the VPN user needs to be able to use resources on the network. Allowing access through a web browser .

You use Routing and Remote Access to enable a VPN connection. 2. you might want to consolidate the remote access policies onto a single server. but there is currently no money in the budget to implement a PKI. and thus you cannot perform computer authentication. They want to take advantage of the high-speed connections when connecting to Busicorp’s network. You select PPTP because you need to enable salespeople to connect to the network from airport kiosks. You also create a pre-shared key for L2TP computer authentication because the company does not currently have a PKI. is appropriate when you need to support users who access the VPN through a public computer or when providing access to external users who need limited functionality. it is not appropriate for providing access from a public computer. Two methods are available for centralizing authentication policies: RADIUS and TACACS. You know that pre-shared keys are a risk. A web-based VPN connection can only provide access to resources and applications that support browser-based access. However. RADIUS is more commonly used and is the centralization option supported for a Windows Server 2003 remote access solution. .3 RADIUS AND TACACS 235 FOR EXAMPLE Designing a VPN Solution Many of Busicorp’s telecommuters and salespeople have broadband Internet connections.3 RADIUS and TACACS If you have multiple RASs. You configure it and the client computers to support both PPTP and L2TP. SELF-CHECK 1.7. Dynamically downloaded client software provides users with access to resources as if they were connected to the local area network. Compare PPTP and L2TP. since it requires downloading and installing software on a computer. What are the two access methods for SSL VPN clients? 7.

configured as a RADIUS client. authorize. Microsoft calls its RADIUS server Internet Authentication Service (IAS). a VPN. An IAS proxy is most useful when the RRAS and RADIUS infrastructures are maintained by different organizations or where the authentication database (Active Directory) is not directly accessible because the IAS server is located in a perimeter network. The IAS server is installed on a domain controller and will use the Active Directory to attempt to authenticate the user. This configuration is shown in Figure 7-11. The RADIUS server might use its own authentication database or that of a network operating system.1 Using RADIUS Authentication Remote Authentication Dial-in User Service (RADIUS) authentication allows the RADIUS client (RAS or wireless access point) to authenticate against a RADIUS server and has become the standard for integrating various vendors’ products. IAS can act as an end point to authenticate and authorize requests from the RADIUS client against the Active Directory. A typical RADIUS configuration is shown in Figure 7-10. The client will connect to the RRAS server or wireless access point and request that it authenticate. . it will notify the RADIUS client (RRAS server) and the account will be allowed on the network. such as Windows Server 2003’s Active Directory. 7.3. will forward the request to the IAS server. The RRAS server or wireless access point. and audit logon requests in a standard way. If successful. regardless of whether the user is connecting through a dial-up connection. or a wireless access point. RADIUS is typically used by RRAS to authenticate. An IAS server configured to forward RADIUS traffic to another server is called an IAS proxy.236 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-10 Dial-in client Dial-in server RADIUS server VPN client VPN endpoint RADIUS configuration.

and nonprivileged access. authorize. so both organizations don’t need to be using the same vendors for their network infrastructures or operating systems. user passwords are administered in a central database rather than in individual routers. In a TACACS system. 7. It also will ease management of duplicating accounts on Internet Information Services (IIS) or in your organization because you can configure IAS to forward RADIUS traffic to the partner organization to verify the account. .3. One important use of TACACS is for securing routers.3 RADIUS AND TACACS 237 Figure 7-11 Dial-in server Dial-in client IAS Proxy Firewall Firewall VPN client VPN endpoint IAS proxy configuration. which allows a user to monitor a router. so it is often an appropriate choice for allowing network access to partner organizations. such as event logging. which is described in RFC 1492. but not modify its configuration. A TACACS–enabled network device prompts the remote user for a user name and static password. Some TACACS solutions also support authentication using a token card.7. which provides an easily scalable network security solution.2 Using TACACS and TACACS ؉ Terminal Access Controller Access Control System (TACACS). Its main benefit is that it provides a standard way to authenticate. Domain Controller You can use RADIUS to manage the accounts of users that connect over a VPN through an RRAS server. is an authentication protocol that provides remote access authentication and related services. and then the TACACS–enabled device queries a TACACS server to verify that password. which allows a user to configure a router. TACACS allows you to support both privileged access. A TACACS server is usually a daemon that runs on a Unix or Linux computer. and audit logons.

and improved audit functions. TACACS does not support prompting for a password change or for the use of dynamic password tokens. such as a router. and shipping systems located at the Kielbasa Factory. you will need to authenticate the users in the external organization. and NAS port number. all of this would be handled by the other organization. One of the ways to ensure secure communication between your organization and an external organization is to set up a VPN and use L2TP/IPSec. has decided to expand its business by purchasing a small sausage maker called the Kielbasa Factory. customer. However. The Kielbasa Factory has its own Windows Server 2003 Active Directory forest and infrastructure in place. . user name. This data then is transmitted to the TACACSϩ server for authentication. ▲ A network access server (NAS): a server that processes requests for connections.238 REMOTE ACCESS AND WIRELESS SECURITY FOR EXAMPLE Centralizing Remote Access Authentication Frankfurters. accounting. TACACSϩ is not compatible with TACACS. Inc. obtaining information such as password. which are similar to those of RADIUS: ▲ Access client: a person or device. ▲ The TACACSϩ server: a server that authenticates the access request and authorizes services. The NAS conducts access control exchanges with the client.’s network. Employees at Frankfurters will need to access the inventory. Frankfurters does not want to spend money on leased lines to the Kielbasa Factory because Frankfurters already has access to the Internet via digital subscriber line (DSL). TACACS has been superseded by TACACS؉. two-factor authentication. It also receives accounting and documentation information from the NAS. which provides for dynamic passwords. In addition. that dials in to an ISP. As part of the purchase. you can use the existing accounts that are in the other (and presumably trusted) organization by setting up a RADIUS client that points to the other organization. which can be a problem because duplicating user accounts for another organization would surely be a management headache. Inc. TACACSϩ is composed of the following elements. You would not need to establish or manage accounts in your organization. the folks in the IT department are integrating the network at the Kielbasa Factory with Frankfurters.

11b or 802. pager networks. 7. Identify the components in a TACACSϩ system. People use cell phones to check their voice mail from their car or use a device like a Blackberry to check their email on the golf course.11b supports speeds up to 11Mbps over a longer range than 802.11g. 2. wireless technology poses a greater security risk to the data that is transferred because the information is broadcast to anyone within range of the signal. which stands for wireless fidelity.11a.11b: 802.4 Wireless Networks Wireless networks are everywhere. ▲ 802. Identify three types of RADIUS clients. There are three major wireless standards for wireless networking defined as Wi-Fi by the Institute of Electrical and Electronics Engineers (IEEE): ▲ 802. hence the popularity. and infrared devices all use wireless networking.7. nearly all PC wireless network cards and wireless access points were built to the 802. we’ll discuss security concerns when connecting computers to a wireless LAN (WLAN).11a: 802.11g.11a is seldom used. Wireless technology allows people to connect notebooks and other portable devices to a network or the Internet without the need to find a physical network port. ▲ 802. Mobile phone networks.1 Wireless Networking Standards The general term used to describe a wireless network connecting two or more computers is Wi-Fi®.11a.11a can transmit data at speeds as fast as 54Mbps but at a shorter range than the other more popular standards.11b tend to be less expensive than those using 802. In this section.11b because they both use the same part of the . But with all of these benefits.4 WIRELESS NETWORKS 239 SELF-CHECK 1. 7. 802. It also uses a different part of the electromagnetic spectrum and so is not compatible with either 802. Devices that support 802.11g: 802. Prior to 802. Wireless network technology is very beneficial in allowing employees to work from a number of different locations.11b standard. Its short range and non-overlapping 12 channels means that it is a specification that is more appropriate for densely populated areas.11g supports speeds up to 54Mbps and is downward compatible with 802.4.

which consists of using a notebook computer or a PDA with a Figure 7-12 Computer Server Switch Laptop WAP Laptop WAP bridging to a wired network. With infrastructure mode.240 REMOTE ACCESS AND WIRELESS SECURITY radio spectrum. The majority of PC networking equipment for sale and in current use is based on the 802.11g. the clients connect to a wireless device called a wireless access point (WAP).3 Preventing Intruders from Connecting to a Wireless Network People search for unsecured wireless access points through a process called war driving. .11b and 802.4. Most current Wi-Fi devices support both 802. in that clients communicate directly with each other. Ad hoc mode is a peer-to-peer communication mode.4. Some WAPs also include a built-in router that can allow you to share a high-bandwidth Internet connection.2 Wireless Modes The 802. as illustrated in Figure 7-12.11g standard. 7.11 standards support two methods or modes of communication: ad hoc mode and infrastructure mode. An ad hoc mode network is not secure and should not be used when transmitting confidential data. A WAP can be used as a bridge to connect a wireless network to a wired network. 7.

Once an access point is found they publish this information on the Internet or use it for their own purposes. This can be a management headache if there are a large number of clients. Service Set Identifier (SSID) One security mechanism that the 802. Only clients that have been configured with the same SSID as each other or the access point can connect. This would require you to set up MAC filtering to specify which clients you want to allow to connect.4 WIRELESS NETWORKS 241 wireless network card and a utility like NetStumbler or MiniStumbler and driving around looking for unsecured access points. you should change the SSID to something difficult to guess. the more difficult it will be for an attacker to guess. Using the SSID to protect your network is not sufficient because most access points will broadcast the SSID to all the clients for ease of configuration. The longer the SSID. This means that anybody could be using your wireless access point to access the Internet or your network. Leaving such a mark is known as war chalking.11 standards use is a service set identifier (SSID). You should also avoid obvious SSIDs. They also might leave a mark on the building or sidewalk to indicate to others that there is an unsecured wireless access point. such as the manufacturer of the wireless device.7.4. which is an identification that recognizes a wireless network. which means that the client would have to be configured with the correct SSID before it can connect. the word “wireless”. . or your company’s name.4 Wired Equivalent Privacy You can provide authentication and encryption on any infrastructure-mode wireless network by using Wired Equivalent Privacy (WEP). They can also capture packets that you might be sending over the wireless network to reveal passwords or confidential information. An attacker can use MAC address spoofing to overcome this restriction. revealing the MAC addresses that are allowed. There are two security mechanisms that you can implement on any infrastructure-mode Wi-Fi network to guard against unauthorized use of your access point. You can turn off the broadcast so that the access point runs in stealth mode. Another concern is that most manufacturers include a default configuration with a well-known SSID. The SSID is used as a means of preventing clients from connecting. Wireless packets can also be captured. MAC Address Filtering You can also use MAC address filtering to control which MAC addresses can communicate with the access point. Rules for creating a strong SSID are similar to those for creating a strong password. Therefore. 7.

as you can imagine. The administrator will also have to rotate the keys on a regular basis to guard against unauthorized use.242 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-13 Configuring WEP keys in Windows Server 2003. WEP Encryption WEP uses the RC4 symmetric key encryption to authenticate clients and provide for the encryption of transmitted data. and. Note that the IV is transmitted as clear text in the packet. which means that the client and the access point require the same shared secret key. the hardware function retrieves the base secret . 24-bit initialization vector (IV) and a fixed 40. Because the secret key is seldom changed. The packet construction and the key composition are illustrated in Figure 7-14. WEP uses a symmetric key. the purpose of the IV is to thwart cryptanalysis against WEP by having the client use a different IV when encrypting message packets (usually each frame).or 104-bit secret key. The WEP symmetric key is comprised of two components: a variable. as shown in Figure 7-13. When the packet is received at the access point. There is no standard for providing the shared secret key to the client. this will be a tedious process. and it usually must be done manually.

Thus. Using the IV and secret base key. the SSID is easily available to attackers to establish an association with the access point. This SSID authorizes and associates a client station to the access point.4 WIRELESS NETWORKS 243 Figure 7-14 MESSAGE IV PAD + ID PLAINTEXT INTEGRITY CHECK VALUE (ICV) ENCRYPTED WITH RC4 WEB KEY IV SECRET KEY A WEP message and key. . 2. 3. The access point returns a challenge string in the clear. packet monitoring will show repetitions of the IV and thus enable attackers to obtain the base secret key. WEP Authentication WEP provides for open and shared key authentication. wherein an attacker can modify packets and retransmit them or capture packets and retransmit them at a later time. The client chooses an IV. A vulnerability exists with this approach in that the access point periodically transmits the SSID as clear text in management frames. key that it knows. because the IV is relatively short. On a busy network. However. One approach an attacker uses is to use the clear text IV and discover WEP RC4 weak keys. A freely available program called AirSnort can be used to break WEP encryption and read transmitted messages. the IV might be repeated after only about an hour. concatenates it with the IV in the transmitted message packet. WEP shared key authentication was intended to implement secure client authentication through the following steps: 1. 4. the client encrypts the challenge string. and uses this key to decrypt the packet. WEP is also vulnerable to forgery and replay attacks. each of these types of authentication has vulnerabilities that make WEP a less than perfect solution for securing wireless traffic. However.7. a client station provides an SSID that is common to the stations on its network segment and its access point. The client station transmits an authorization request. In WEP open authentication.

The client station sends the IV and encrypted challenge string to the access point. Table 7-1 lists the upgrades provided by TKIP in terms of the security weaknesses addressed. Let’s take a look at each of these enhancements. 6. WPA requires the use of EAP for authentication and Temporal Key Integrity Protocol (TKIP) to provide message integrity.244 REMOTE ACCESS AND WIRELESS SECURITY 5. The access point also encrypts the challenge string using the transmitted IV and the same secret base key. Temporal Key Integrity Protocol (TKIP) is a strategy for managing encryption keys that is built around the existing WEP security algorithm. Table 7-1: TKIP Upgrades for WEP Vulnerabilities Vulnerability Correlation of IVs with weak keys Replay Susceptibility to forgery Upgrade Per-packet key mixing function IV sequencing discipline Message Integrity Code (MIC) . It then uses the packet sequence counter and temporal key to construct the per-packet key and IV. but it provides some improvements to help protect against the vulnerabilities in WEP .5 Wi-Fi Protected Access Wi-Fi Protected Access (WPA) is a standard that was developed to eliminate some of the vulnerabilities of WEP. the association occurs. This attack is possible when all the IVs have been exhausted for a session and the IVs have to be reused. Using the Exclusive Or (XOR) function for the local MAC address with the temporal key results in different client stations and access points generating different intermediate keys. These operations hide the relationship between the IV and the per-packet key.4. The result of the total process is a 16-byte packet that corresponds to the input that is expected by existing WEP hardware. 7. The vulnerability in this process is that cryptanalysis can use the intercepted plain text/cipher text pair and IV to determine the RC4 key. Per-packet Mixing Function The TKIP per-packet key mixing function addresses the problem of correlating IVs with weak keys by using a key that varies with time (temporal key) as the WEP secret base key. the per-packet encryption keys are different at every client station. while still providing backward-compatibility for existing wireless devices. 7. Thus. This process is illustrated in Figure 7-15. If the client’s encrypted challenge string is identical to the challenge string sent by the client station.

If that condition is true. 2. Receiver and transmitter initialize the packet sequence number to zero.7. TKIP applies an IV sequencing discipline in which a receiver determines if a packet is out of sequence. By using the WEP IV field as a packet sequence number. the procedure for detecting and countering replays is summarized as follows: 1. This procedure is illustrated in Figure 7-16. As each packet is transmitted. the packet sequence number is incremented by the transmitter. IV Sequencing Discipline As a control against replay attacks. The IV sequencing discipline is applied to determine if a packet is out of sequence and a replay has occurred. unambiguous representation of the transmitted message that will change if the message bits change. New TKIP keys are used. A packet is defined as out of sequence if its IV is less than or equal to that of a packet that was previously received. 3. Message Integrity Codes An ideal Message Integrity Code (MIC) is a unique. if an MIC is calculated by the sender using an authentication key known only to the sender and the receiver and that is sent with the message. the receiver can calculate another MIC based on the message and can compare it to the MIC . Thus. 4. the receiver assumes it is a replay and discards the packet.4 WIRELESS NETWORKS 245 Figure 7-15 802 MAC Address Temporal Key S-Box Intermediate Key Cache (Non-Linear (Variable Function of MAC Address) Substitution) Intermediate Key Feistel Cipher Packet Sequence # 128-bit Per-Packet Key in form expected by WEP byte 1 byte 2 byte 3 byte 4 byte 16 Represents WEP 24-bit IV Represents WEP 104-bit “Secret Base Key” TKIP per-packet mixing function.

1x standard was developed to help administrators provide greater security to wireless networks.1x uses TKIP to manage data integrity and EAP-TLS to authenticate the user. the message was not modified during transmission.4. In TKIP. The TKIP MIC is much stronger. in theory. byte 16 that accompanied the message. An MIC strength of 20 bits satisfies the requirements for WEP.6 Standard 802. 7.246 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-16 byte 1 byte 2 byte 3 byte 4 byte 16 Represents WEP 24-bit IV Initialize to zero when setting new TKIP keys and use as incremented sequence number 0 0 0 byte 4 byte 16 WEP 24-bit IV Field Incrementing packet sequence number X X X byte 4 byte 16 Receiver checks for Replay. The TKIP MIC process is illustrated in Figure 7-17. Replay is determined to have occurred if received packet sequence number is Յ previous correctly received packet sequence number. . Set new TKIP keys 0 0 0 byte 4 TKIP replay sequence checking.1x The 802. If the two MICs are identical. Standard 802. the 64-bit MIC is called Michael. and it is estimated that this level of security will take one year to break.

or when a client station no longer communicates).1x further provides that the authentication server and access point share a secret key. and revocation of certificates. K. distribution. K Message (M) MIC OK MIC Verification MIC NO EAP-TLS uses certificates on the client and server to provide for mutual authentication. ▲ 802. This means that the keys for encryption can be negotiated per session.1x standard also provides for encryption of each connection using TLS. The master key is needed to set up the key encryption keys. this protection is accomplished using key encryption keys. the master key. Re-keying Against Key Reuse To protect against key reuse. A different set of temporal keys is used in each direction when an association is established.7. A temporal key set comprises a 64bit key for the MIC process and a 128-bit encryption key.4 WIRELESS NETWORKS 247 Figure 7-17 Authentication Key. This process is summarized as follows: ▲ 802.1x uses a hierarchy of master keys.1x provides that the authentication server and client station share a secret key.1x temporal keys are used in the TKIP authentication and confidentiality processes. known only to receiver and sender. ▲ The master key is used to protect the communication of key encryption keys between a client station and the access point. MIC Generation Tag or MIC (Tagging) Function Message (M) Receiver TKIP MIC generation and verification. when the key is revoked. derived by the authentication server and client station from the master key and distributed by the authentication server to the access point. This requires a PKI to manage the creation. 802. ▲ A new master key is used with each session (a session covers the time from when the user is authenticated to when the key expires. The material used to generate the temporal keys must be protected from compromise. The 802. and temporal keys. The 802. key encryption keys. .

point to All Programs.11. Figure 7-18 shows the relationships and locations of the three types of keys.11) Policies node to configure 802. ▲ The key encryption keys are employed to protect the transmitted keying material used by the access point and client to generate sets of temporal keys. select Administrative Tools. you can configure 802. You can use the Wireless Network (IEEE 802. which will solve some of the management problems with 802. You can get to the Group Policy Security Settings for 802. Right-click the Wireless Network (IEEE 802.11) Policies node and choose Create Wireless Network Policy from the context menu to configure a wireless policy. open the Start menu. Configuring 802. Open the Security Settings section of Group Policy by navigating to the Domain Security Policy Microsoft Management Console (MMC). ▲ The pairs of temporal keys are used for integrity protection and confidentiality of the data.248 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-18 TKIP Confidentiality and Authentication Processes Temporal Keys Encrypted with Key Encryption Keys Client Station Master Key Access Point K1 802.1x through Group Policy Security Settings.1x by following these steps: 1. 2. and then select Domain Security Policy.11 and 802. Doing so allows you to manage many clients at once with Active Directory.1x Authentication Server K1 Master Key Key hierarchy for re-keying.1x configuration settings (Figure 7-19). To do so. .1x in Active Directory In an Active Directory environment.

point to Settings. Choose the wireless network configuration in the Preferred Networks list box and click the Properties button. Give the policy a meaningful name and then click Next. 4. 4. Right-click your wireless network connection and choose Properties from the context menu. as shown in Figure 7-20.7. click the Wireless Networks tab to reveal the Properties dialog box for configuring wireless networks for the client. and then select Network Connections. select the Control Panel.11) Policies node. This will launch a Wireless Network Policy Wizard that will ask you to enter the name of the wireless policy and then ask if you would like to edit the wireless policy. 3. Click the Finish button to end the Wireless Network Policy Wizard and reveal the Wireless Network Policy Properties dialog box. 2. Open the Start menu. You can enable a Windows XP client computer to use 802. In the wireless connection’s Properties dialog box. .4 WIRELESS NETWORKS 249 Figure 7-19 Wireless Network (IEEE 802.1x without using Group Policy by following these steps: 1. 3.

1x authentication for this network check box. PEAP allows the client to use a password to authenticate the user on the wireless network. and one-time password database systems. Novell® NetWare® Directory Service (NDS). and token cards. one-time passwords. which is required with EAP-TLS. This makes it easier to set up 802. Click the Enable IEEE 802. to enable 802. Remember. 6. . but at a cost of degrading security.250 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-20 Wireless Networks tab. 5. PEAP is supported by Active Directory.1x.1x for this client. In the preferred network’s Properties dialog box. PEAP can be used with usernames and passwords. however. Using Protected Extensible Authentication Protocol Those who don’t have the extensive PKI can use a protocol called Protected Extensible Authentication Protocol (PEAP). that you are always weighing the cost of a solution with the loss that would be incurred if security were breached. Lightweight Directory Access Protocol (LDAP) directory services. This protocol is not as strong as smart cards or some other form of certificates used on clients. as shown in Figure 7-21. click the Authentication tab.

1x on a client. The access point acts as a RADIUS client that will forward all connection requests to the RADIUS server. 802. PEAP needs to be enabled on the client and the server to support this form of authentication for the network.1x Regardless of whether you choose to use certificates or PEAP to authenticate with the wireless access point. To enable PEAP on the client side. as shown in Figure 7-22. RADIUS also provides extensive auditing and accounting that can also be used to maintain security.4 WIRELESS NETWORKS 251 Figure 7-21 Enabling 802. . which ensures that the client is authenticated to gain access to the network and can prevent unauthorized access points. RADIUS and 802. These logs can be reviewed to verify the usage patterns of accounts and to recognize if there has been a security violation.1x uses RADIUS to authenticate the requests to connect to an access point. use the EAP type drop-down box on the Authentication tab in the preferred wireless network Properties dialog box.7. The RADIUS server will check to see if the client has been allowed access to the wireless access point.

and the Advanced Encryption Standard (AES).11i The 802.4.1x. .11i. ▲ Key confirmation key (KCK): This key binds the PMK to the client station and access point. processes plain text in 128-bit blocks.1x authentication.252 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-22 Enabling PEAP for 802.7 Standard 802. in 802. which is an operational temporal key used to protect multicast and broadcast data. 7. ▲ A pairwise master key (PMK): This key is a fresh symmetric key known by the access point and client station and is used for authorization to access the 802.11 medium. ▲ Temporal key (TK): This key protects transmitted data and varies with time. AES is a block cipher and.11i wireless security standard incorporates TKIP. It uses the following set of keys: ▲ A symmetric master key: This key is known by the authentication server and client station for the positive access decision. 802. ▲ A pairwise transient key (PTK): This key is a collection of the following operational keys: ▲ Key encryption key (KEK): This key is used to distribute the group transient key (GTK).

or the general public. so an attacker can manipulate the packets in transit.4. or an intrusion detection system (a system that monitors for network intrusion attempts) to prevent abuse of the public system. you should use a network that is shielded from your internal network by a firewall. so you should pay close attention to designing a secure network. consultants.11i packet.4. 7. 7. 802. ▲ Packet checksums.” describes this operation. . but are de facto standards for use in 802.1x. The following list includes some of the vulnerabilities you need to consider: ▲ WEP keys must be manually configured in many devices and there is no standard to manage them. In addition. but there are many times that you might want to provide open access to the Internet for clients.0. which applies a pseudorandom function to derive keys. The PSK mode uses the Public Key Cryptography Standard (PKCS) #5 version 2. Figure 7-23 shows how you would lay out a wireless network with an open access point. you can create a secure private wireless network that will provide for data encryption and integrity.0 and the Password-Based Key Derivation Function 2 (PBKDF2) to produce a 256-bit PSK from an ASCII (American Standard Code for Information Interchange) string password. and protects the entire 802. uses temporal keys for both functions. In PSK mode.9 Identifying Wireless Network Vulnerabilities Wireless networks by their very nature are vulnerable. standard. you will need to make it clear to those using the open access point that their traffic is not secure and that they should use the open access point at their own risk. combines encryption and authentication. “PKCS #5: Password-Based Cryptography Specification Version 2. RADIUS and EAP-TLS are not officially part of 802. are not encrypted.4 WIRELESS NETWORKS 253 Standard 802.8 Designing for an Open Access Point Using the 802. A discussion of intrusion detection systems is beyond the scope of this chapter.11i. firewall. which are the result of a mathematical calculation on the packet that is added to it to verify the integrity of the packet.11i employs a 128-bit key. To do so. PSK is acceptable for use in ad hoc and home networks. You should also control the types of traffic that could be passed to the Internet on the open wireless access point by using a router.7. there is no authentication exchange and a single private key can be assigned to the entire network or on a per-client station pair. The PSK mode is vulnerable to password/passphrase guessing using dictionary attacks.11i provides for pre-authentication for roaming (moving between wireless access points) and also for a pre-shared key (PSK) mode.11i. You typically have to set them up on the client manually. RFC 2898.

▲ Denial-of-service (DoS) attacks can be launched by broadcasting a stronger signal.254 REMOTE ACCESS AND WIRELESS SECURITY Figure 7-23 Open Wireless Access Point 802.11 protocols.1x Wireless Access Point Server Laptop Laptop Firewall Wall Firewall Wall Wireless Access Point Open access point. For example. ▲ There is no user or machine authentication option with 802.1x. so you only need to know the SSID to connect (if WEP is not enabled). opening up a weakness on your network. . a LinkSys® wireless access point’s default SSID is LINKSYS. redirecting packets. ▲ Attackers can figure out your SSID or valid MAC addresses by intercepting wireless packets even if you disable SSID broadcasting or enable MAC filtering. ▲ Shared key authentication is all that is available without 802. ▲ Many access points have a well-known default SSID. These access points normally will not be secure. The following list includes the main threats to a wireless infrastructure: ▲ Attackers can eavesdrop on wireless packets because they are broadcast through the air. ▲ Employees or attackers can add unauthorized access points to a network to provide access to it. jamming the air with noise. An attacker will guess the defaults on popular devices first to determine if they can gain access. or disconnecting clients. You are broadcasting more or less to the world if you don’t use encryption. Hub Wireless Access Point Workstation ▲ The destination or source of a packet can be changed.

1x. your best choices are MSCHAP v2 for password credentials and EAP-TLS for smart cards. The real estate office network has a single domain controller and two servers. You also learned about the two tunneling protocols available: PPTP and L2TP/IPsec.11g 802. and.11i. SUMMARY In this chapter.11b 802. The agents have laptop computers. The agents share an open-air conference room. and 802. Compare WEP and 802. WEP. and you want to use a wireless access point to give them access. You learned how to limit which users can connect through dial-up or VPN connections. MAC filtering. you learned about the methods available for securing a wireless LAN.11i 802. 3. they want to connect to the network to check email. WPA. Define SSID and explain how it relates to security. including SSID.1x Access client .1x security using PEAP. you learned about securing remote access and wireless access. You learned that dial-up users and VPN users are authenticated using the same authentication protocols. Finally.1x. access the listing database. 2. that of those protocols. but first you need to convince the board of directors that you need to invest in a PKI. KEY TERMS 802. 802.11a 802.KEY TERMS 255 FOR EXAMPLE Designing a Secure Wireless Access Strategy A real estate office has agents who are rarely in the office. You decide to install IAS on the domain controller and configure 802. You plan to upgrade the solution to support EAP-TLS next year. SELF-CHECK 1. and submit paperwork. Compare ad hoc mode and infrastructure mode. and when they are in the office.

256 REMOTE ACCESS AND WIRELESS SECURITY Ad hoc mode AirSnort Callback Challenge-and-response Challenge Handshake Authentication Protocol (CHAP) Encapsulating Extensible Authentication Protocol (EAP) Generic Routing Encapsulation (GRE) Group transient key (GTK) IAS proxy Infrastructure mode Initialization vector (IV) Internet Authentication Service (IAS) Intrusion detection system IV sequencing discipline Key confirmation key (KCK) Key encryption key (KEK) Layer 2 Tunneling Protocol (L2TP) Link Control Protocol (LCP) Link establishment phase MAC address filtering MD5–Challenge Message Integrity Code (MIC) Michael Microsoft Challenge Handshake Authentication Protocol (MSCHAP) Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2) Microsoft Point-to-Point Encryption (MPPE) NAT–Traversal Network access server (NAS) Network Control Protocol (NCP) One-way hash Packet checksum Pairwise master key (PMK) Pairwise transient key (PTK) Password Authentication Protocol (PAP) Per-packet mixing function Point-to-Point Protocol (PPP) Point-to-Point Tunneling Protocol (PPTP) Pre-shared key (PSK) mode Protected Extensible Authentication Protocol (PEAP) RADIUS client RADIUS server Remote access server (RAS) Remote Authentication Dial-in User Service (RADIUS) Reversible encryption RFC 1994 RFC 2488 RFC 2898 Roaming Routing and Remote Access Service (RRAS) Serial Line Internet Protocol (SLIP) Service set identifier (SSID) Shiva Password Authentication Protocol (SPAP) Stealth mode Symmetric master key TACACS+ Temporal key .

KEY TERMS 257 Temporal Key Integrity Protocol (TKIP) Terminal Access Controller Access Control System (TACACS) Tunnel Virtual private network (VPN) War chalking War driving WEP open authentication WEP shared key authentication Wi-Fi Wi-Fi Protected Access (WPA) Wired Equivalent Privacy (WEP) Wireless access point (WAP) Wireless fidelity Wireless LAN (WLAN) .

Which VPN protocol(s) provide computer authentication? (a) L2TP (b) PPTP (c) both L2TP and PPTP (d) none of the above to evaluate your knowledge of designing and implementing a secure remote access and wireless network infrastructure. Summary Questions 1. TACACSϩ supports prompting for a password. Which of the following can be a RADIUS client? (a) a remote access client (b) a wireless client (c) a VPN server (d) an Active Directory domain controller 8. 6. True or false? . On a server running Routing and Remote Access as a dial-up server. True or false. True or false? 4. PPTP traffic can only pass through a NAT server that supports NAT–Traversal. A RADIUS server can only authenticate users by contacting an Active Directory domain controller. Which remote access authentication protocol requires that you store the password using reversible encryption? (a) CHAP (b) EAP-TLS (c) MS-CHAP (d) PAP 3. TACACS does not. Which remote access authentication protocol supports using smart cards with a PIN? (a) CHAP (b) EAP-TLS (c) MS-CHAPv2 (d) SPAP 2.258 REMOTE ACCESS AND WIRELESS SECURITY ASSESS YOUR UNDERSTANDING Go to www.wiley. Measure your learning by comparing pre-test and post-test results. True or false? 7. you can only use policies to determine whether a user can connect if the domain is configured as a native mode domain.

11i (b) 802. True or false? 14. Which type of wireless authentication uses knowledge of an SSID as the only credential required for access? (a) PEAP (b) EAP-TLS (c) WEP open authentication (d) WEP shared authentication 13. Which wireless networking standard transmits data at up to 11Mbps? (a) 802.11i 10.11b (c) 802. (a) ad hoc (b) open authentication (c) infrastructure (d) shared authentication 11. Which TKIP feature helps mitigate replay attacks? (a) IV sequencing discipline (b) Michael (c) per-packet key mixing function (d) all of the above 15.APPLYING THIS CHAPTER 259 9. You Buy It is a wholesale distributor for a variety of products. Which wireless security standard is weak because of the repetition of IVs? (a) 802. Its customers are retail .11a (b) 802. Which of the following is required for all implementations of 802. You are analyzing the security for You Buy It Distribution. ___________ mode wireless networks do not require wireless access points. WiFi Protected Access is the only wireless security standard that uses TKIP.1x (c) WPA (d) WEP 12.11g (d) 802.1x? (a) PKI infrastructure (b) strong password policy (c) RADIUS server (d) IAS proxy Applying This Chapter 1.

You have been asked to mitigate the possibility of such an attack happening at a later time. Patient data will be transferred over the local network. so confidentiality and integrity are extremely important. The dial-in server is a domain member. You have been asked by Community Health Center to develop a secure wireless networking strategy. and all retail stores are authenticated using domain accounts. Only doctors and nurses should be able to access the local network through the access point. How can you support this functionality? (d) What are the potential drawbacks of using PPTP? (e) What are the drawbacks to using L2TP/IPsec? (f ) What additional restriction should you place on the RAS? (g) What additional step should you take to mitigate the risk of a dictionary attack? 2. (a) Assuming that all customers use Windows 2000 Professional or later. A customer’s password was recently discovered by an attacker and the attacker gained access to the company network. Their user accounts are shortened versions of the store name. (a) How will you configure the public access points? (b) How will you configure the private access points? (c) What additional server(s) will be required? (d) What additional requirement should you use to provide stronger authentication? .260 REMOTE ACCESS AND WIRELESS SECURITY stores that currently dial in to a server to place the order. The dial-in server is configured to support all authentication protocols. It also wants to provide its doctors and nurses with roaming access to both the Internet and the Health Center’s private local area network. Account numbers are a letter followed by five numbers. Passwords are set to never expire. and their passwords are set to their customer account numbers. which remote access authentication protocols should you disable? (b) Which protocol would you need to enable to support Linux clients without changing the credentials used? (c) Some customers have requested the ability to access the server using their broadband Internet connections. Community Health Center wants to offer patients wireless Internet access in the waiting room and activity center.

In addition. the company is moving to a new location. All insurance adjusters have laptop computers running Windows 98 or Windows XP Professional. What changes to the client computers will be required to support the VPN protocol? 4. What change to the current network will you sugggest? 2. 1. What will you recommend as the most secure VPN protocol and why? 3. Aside from the domain controller. Their adjusters are on 24-hour call and need to be able to submit claims and access customer data through a dial-up connection or through an Internet connection.YOU TRY IT Designing Remote Access and Wireless Security You have been hired by NMF Insurance to add remote access functionality to their network. are the justifications for installing a PKI? 5. What. Is there any need to store passwords using reversible encryption? 261 . What restrictions might you place on dial-up and VPN access? 7. The network is currently configured as an Active Directory domain. if necessary. are the justifications for installing a RADIUS server? 6. The network is not currently connected to the Internet. there are two file servers and a database server. Customer data and claims are stored on different file servers on the network. if any. What. if any. Adjusters will access the network from home or from a claimant’s home. All other employees have desktop computers running Windows XP Professional. The company is very concerned about the security of data on the network. They are willing to invest the capital for additional servers. The owner of the new building will not allow them to run cable.

application. Determine where you need to concentrate your effort. WINS. to assess your knowledge of designing server security based on a server’s role. RAS. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Security baselines Security templates Network infrastructure server security Domain controller security File sharing security Print server security FTP server security Web server security After Studying This Chapter. print. and NAT servers ▲ Secure a domain controller ▲ Secure a file.8 SERVER ROLES AND SECURITY Starting Point Go to www. and database server . You’ll Be Able To ▲ Develop and implement a secure baseline ▲ Secure network infrastructure servers.wiley. such as DHCP. and FTP server ▲ Identify the steps to take to secure a web server ▲ Secure a web.

1 SERVER ROLES AND BASELINES 263 INTRODUCTION Each server in an organization has a specific role. we will use an Active Directory® domain environment in most of our examples. Keep in mind that although the implementation of security policies will be different in other environments. 8. Although in most cases it is recommended that a server perform only a single role. which is the total combination of protection mechanisms in a computer system.1 Server Roles and Baselines A server role is the job that a server performs on your network. we’ll discuss the elements of a trusted computing base and describe how to implement a secure baseline on a Windows 2000 Server or Windows Server 2003 network using security templates. 8. better performance. A secure baseline is a plan for applying the pieces of this trusted computing base to computers. you need to define a trusted computing base. In addition. The trusted computing base includes the following components: ▲ The detailed configuration and procedure of each component: Each option should have a required setting. web servers. the security concerns are similar. In this section. you should first document the default settings for each role. A security template is a file that is used to configure specific security settings on a computer. file and printer sharing servers. ▲ Elaborate documentation: Each configuration step should documented. there are a few exceptions to this rule. Some roles are filled by multiple servers. This chapter begins with an overview of server roles and a discussion of how to create a security baseline. including network infrastructure servers. domain controllers. and occasionally a server will perform multiple roles.1.1 Trusted Computing Base Before you start identifying the settings that should be configured in the templates for your organization. . The chapter then looks at the security concerns associated with various server roles. or support for multiple geographic areas. For each server role. application servers. It is important that you consider a server’s role when determining how that server should be secured. Then you can proceed to create a trusted computing base for each server role. some critical roles will be performed by multiple servers in order to provide fault tolerance (protection in case one of the servers fails). and database servers. Although most of these roles exist in non-Windows® networks.8.

including hardware. Service and Application Settings You should specify the settings that need to be configured for each service that runs on a computer.264 SERVER ROLES AND SECURITY ▲ Change and configuration management: Procedures must be defined for applying changes. as well as the settings and business rules for each application. A secure baseline contains the elements described in the remainder of this section. the cost of the computer. and administrative costs) of the servers in your organization because you will know. software. such as service packs and security updates. The secure baseline will define how to implement the components of the trusted computing base on an individual computer. ▲ Procedural review: All procedures should be reviewed regularly to identify potential weaknesses. You also should have a written guideline for resource permissions—for example. An example of an administrative procedure is a rule stating that the password must be changed on all administrative accounts every 30 days.2 Secure Baseline A secure baseline is a detailed description of how to configure and administer a computer. . An example would be a business rule that specifies that only users in the human resources department can run the human resources application. how it is configured. your organization might specify that the Internet Information Services (IIS) home directory must be %systemroot%\IISApp\WebROOT. Administrative Procedures The business that your organization is in will determine the importance of administrative procedures. based on the role of the computer. Changing the default directory that IIS uses as its home directory can prevent intrusion by Internet worms that have the path of IIS hard-coded in their code. You could also include a rule that dictates that a particular server should accept only connections coming from a specific computer or network segment. 8. Operating System Component Configuration You will also want to specify the settings for the operating system components. Having a policy in place for the configuration of each of the operating system components should lower the total cost of ownership (or TCO.1. For example. One example is having a rule that states that only members of the Domain Admins security group will be able to log on locally to the domain controllers. Permissions and User Rights Assignments You should also create a policy that specifies the standards that your organization will follow as it relates to permissions and user rights assignments. only auditors can access client financial data for their clients remotely.

A security template can be imported directly to Local Security Policy or it can be deployed to a number of computers by importing it into a Group Policy Object (GPO) and linking that GPO to the organizational unit (OU) containing those computers. ensure consistent configuration settings. Decide how to automate the application of these settings for all computers. 8. Without this inventory.3 Preparing to Implement the Baseline Before you can define a template for the computers in your organization. An example of a role-based OU hierarchy is shown in Figure 8-1.1. the security settings for one Microsoft® SQL Server (a relational database management system) computer in your organization are likely to have the same configuration requirements as those of another Microsoft SQL Server computer running in your organization.1 SERVER ROLES AND BASELINES 265 8. must be documented clearly. 2. Regular audits will detect changes in the computer settings in addition to changes in the baseline that haven’t been applied. Consider using Group Policy or some other automated technique to apply these settings to the computers in your environment. In most cases within an organization. Establish procedures to audit computers in order to detect changes to the baseline. such as DNS servers. Record all applications and services on the computer. You can create a template for all of the servers running Microsoft SQL Server and a different template for another computer role.4 Security Templates One way to automate the application of baseline settings on a Windows computer is to use a security template. 3. You must make an inventory of all of the hardware and software components on the system. and save time. Each security-related setting and configuration task.8. A good way to design a security template hierarchy is to create a baseline template that contains settings relevant to all member servers and to import that template into a GPO linked to the servers’ OU. 4. you might fail to properly secure an essential component or you might not notice a hardware change that will require a change to be made in the baseline. You can utilize Group Policy to automate the assignment of the templates to the different computers. Group Policy will also automatically reapply the template settings should any of the settings be modified in Local Security Policy on a computer. Record the required security configuration for the operating system and its applications and services.1. including administrative procedures. the security settings for a specific role will be the same on multiple computers. you need to audit your environment by completing the following steps: 1. This implementation strategy guarantees that the security settings on all computers of a specific role will be identical. This will minimize errors. then apply role-specific settings to . For example.

The role-based templates are sometimes called incremental templates. Table 8-1 lists each of the predefined templates that come with Windows Server 2003. Predefined Templates Windows Server 2003 provides several predefined security templates that contain the Microsoft-recommended security settings for some of the more common configurations.266 SERVER ROLES AND SECURITY Figure 8-1 Servers DNS DNS Server Baseline DNSSRV01 DNSSRV02 SQL Server SQL Server Baseline SQLSRV01 SQLSRV02 Sample OU design for Group Policy. . role-based templates and deploy those templates through GPOs linked to the OU for each role.

This template is applied when a server is promoted to a domain controller. Registry keys. for this to work in your organization. The secure templates for enhanced security with a low likelihood of conflicting with application compatibility. all domain controllers must be running Windows NT® 4 Service Pack 4 or higher. Some legacy applications require users to have more access permissions than are granted by the default Windows configuration.1 SERVER ROLES AND BASELINES 267 Table 8-1: Predefined Security Templates Name Default Security Filename Setup security. The Registry is a database on a Windows computer that stores hardware and software configuration settings. Registry keys.inf and securews.inf . and services that were created by other applications. and services. therefore. A template containing more lenient access control settings than those defined in the default security configuration.inf Secure Securedc. and if reapplied to an existing DC.inf Compatible Compatws. it may overwrite permissions on new files.8.inf Description Default security settings that are applied when the operating system is installed Default security settings on files. The securedc. The secure templates limit the use of LAN Manager and NT LAN Manager (NTLM) authentication by configuring workstations to use NTLMv2 and servers to refuse LAN Manager.inf file is used for Domain (Continued) Domain Controller Default Security DC security.

and by default. The templates that you create are referred to as custom templates.inf A superset of the Secure templates. Figure 8-2 shows the snap-in within a custom MMC console. Applies the permissions and propagates them to child directories and files that are inheriting from the root. you will need to define them yourself. You will want to make sure that your production templates are secured so that only authorized administrators have the .inf Creating Custom Templates As you can see. Therefore.inf file is used for Domain Controllers. and modify security templates. and the hisecws. and the securews. Default root permissions for the operating system partition. Even more secure configuration settings than those defined in the Secure templates.inf file is used for workstations and member servers. and it is usually a good idea to use a predefined template as a starting point for them.inf and hisecws. all of the domain controllers in all trusted or trusting domains must be running Windows 2000 or later. In order to apply the hisecdc. there is not a predefined template for a Microsoft SQL Server or any other application server role.inf template on a domain controller. You can use the Microsoft Management Console (MMC) Security Templates snap-in to create. authenticated users can read all of the settings within a GPO. Highly Secure Hisecdc.inf file is used for workstations and member servers. All computers running Windows Server 2003 store the security templates in the %systemroot%\security\templates folder. view. The highly secure templates will impose higher restrictions on LAN Manager authentication. System Root Security Rootsec.268 SERVER ROLES AND SECURITY Table 8-1: (Continued ) Name Filename Description Controllers. The hisecdc.

it can be used to apply the template’s settings to the computer. . The Security Configuration and Analysis snap-in is used to analyze and configure the security of the local computer. remember that settings applied through Group Policy will override those applied through Security Configuration and Analysis. ability to view and modify them. Using Security Templates to Audit Configurations You can monitor changes to the baseline using the Security Configuration and Analysis MMC snap-in. Figure 8-3 shows the report generated when you analyze a computer using Security Configuration and Analysis. However. It is also considered best practice to designate a single domain controller to hold the master copies of the templates to prevent versioning problems that can occur with multiple copies being modified at the same time.8.1 SERVER ROLES AND BASELINES 269 Figure 8-2 Security Templates snap-in. It will detect any conflicts that exist between the settings defined in a specified template file and those that are in effect on the computer. After it analyzes the two.

Before you can use the tool. Options that enable services or open ports. 8. . After selecting the roles. you can use the Security Configuration Wizard (SCW) from Microsoft’s website to simplify the configuration of a server that hosts one or more roles. Additional installed services. Information to determine appropriate Server Message Block (SMB) signature settings. SCW includes an Extensible Markup Language (XML) database of recommended security settings for various roles (see Figure 8-4). SCW examines the system and asks you to confirm or select the following: ▲ ▲ ▲ ▲ Client features.5 Security Configuration Wizard If you are securing servers running Windows Server 2003 with Service Pack 1 (or higher). you must install it through Add or Remove Programs.1.270 SERVER ROLES AND SECURITY Figure 8-3 Analyzing a computer’s security configuration.

▲ Information about how the computer authenticates to other computers. You can also create custom XML files to support the security settings required by in-house applications. For example. The SCW also allows you to import application-specific XML files. it generates a policy file which you can apply to one or more computers. ▲ Audit configuration settings. ▲ Application-specific information if the server is running an application covered in the SCW database.8. you can import an XML file that contains the recommended settings for an Exchange 2007 server. When the wizard is finished. ▲ Information to determine Lightweight Directory Access Protocol (LDAP) signing settings. .1 SERVER ROLES AND BASELINES 271 Figure 8-4 Server roles.

6 Secure Baseline Configuration for Linux Servers There are some best practices you should use when establishing a secure baseline for a Linux server.d directory. You perform this modification by editing the inittab file in the etc directory and adding a “#” in front of the following line: ca::ctrlaltdel:/sbin/shutdown -t3 -r now ▲ Next. web servers. Another administrator asks you why you created a NAT servers OU and a DHCP servers OU if there is only a single NAT server and a single DHCP server. which will ensure that the settings cannot be changed on the local computer. you will create five incremental templates. which you import into GPOs linked to the OUs of the file servers. and four are web servers. Of the fifteen member servers. Daemons are stored in the /etc/r. five are file servers.272 SERVER ROLES AND SECURITY 8. FOR EXAMPLE Deploying Security Baselines Busicorp has two domain controllers and fifteen member servers. one is a Network Address Translation (NAT) server. The procedure for configuring which daemons load is distribution-specific. You create an OU hierarchy like the one shown in Figure 8-5. ▲ Prevent CTRLϩALTϩDEL from shutting down the computer. One is used by development and the other is used for Quality Assurance testing. two are print servers. print servers. one is a Dynamic Host Configuration Protocol (DHCP) server. These include the following: ▲ Ensure that the root is protected with a strong password. Two of the web servers are on the perimeter network. The domain controllers are also configured as domain name system (DNS) servers. you need to cause the system to load the new setting by executing the following from the command prompt: /sbin/init q ▲ Prevent unnecessary daemons from running. Client computers include Windows 98 and Windows XP Professional computers. . database servers. Because there are legacy clients in the environment.1. and NAT servers. Next. You reply that creating OUs for each role enables you to use Group Policy to deploy the security settings. you decide to use the Secure templates as a basis for creating the baseline templates you will import into GPOs linked to the domain controllers and servers OUs respectively. two are database servers.

8.1. Depending on the distribution.d. ▲ Disable anonymous FTP (File Transfer Protocol) access. You can limit the computers that can access the computer by editing the /etc/hosts. Most current Linux distributions hash user passwords using an MD5 (Message-Digest algorithm 5) hash and store the hash in the /etc/shadow file. as shown below: root:x:0:0:root:/root:/vin/bash daemon:x:1:1:daemon:/usr/sbri:/bin/sh ▲ Set permissions to limit access to files to only those users or groups that require access. The procedure for doing this will differ by distribution. The second file should contain an x. a company does not have the necessary hardware to segregate server roles so that each server runs only a single role (or in the case of an Active . ▲ Disable unnecessary services.deny file and the /etc.allow file.1 SERVER ROLES AND BASELINES 273 Figure 8-5 busicorp. To verify that your Linux distribution is shadowing passwords. ▲ Filter TCP/IP (Transmission Control Protocol/Internet Protocol) traffic.8. or /etc/inet. ▲ Verify that programs are configured as SUID programs only when necessary. The syntax for allowing and denying access to a host will vary by distribution. view /etc/passwd. ▲ Make sure passwords are shadowed. /etc/ Servers Domain Controlers File Servers Web Servers Database Servers Print Servers NAT Servers DHCP Servers Busicorp OU hierarchy.hosts. services will be stored in /etc/inetd.7 Virtualization In many cases.

This means that virtualization is not appropriate when you need to support an application that consumes a lot of resources. To network clients. such as processor time and memory. ▲ Domain name system (DNS) server: a server responsible for maintaining a database of. if you run an FTP server in one virtual server and a web server in another virtual server. The following are some network infrastructure roles in a typical network: ▲ Dynamic Host Configuration Protocol (DHCP) server: a server responsible for automatically assigning IP addresses and TCP/IP configuration settings. VMware® is a popular virtual server software package that has been around for a long time.274 SERVER ROLES AND SECURITY Directory–integrated DNS server. two roles). IP addresses. 8. or infrastructure servers that do not require significant resources using virtualization can allow you to reduce the attack surface of each virtual server. SELF-CHECK 1. IP . A virtual machine runs an operating system and one or more applications. Segregating application servers. A host name is the name of a computer on a TCP/IP network. For example. 2. Define trusting computer base. One potential drawback to virtualization is that all virtual servers share the same hardware resources of the physical computer. One emerging trend is to use virtualization (the process of installing multiple virtual machines on a single physical host).2 Securing Network Infrastructure Servers A network infrastructure server is a server that provides a specific service to allow other computers on the network to communicate. it is accessed as if it is a physical server. ▲ Windows Internet Name Service (WINS) server: a server responsible for maintaining a database of. If you need a free virtual server that runs on Windows Server 2003. and resolving host names to. you can download Microsoft’s Virtual Server 2005 from the Microsoft website. and resolving NetBIOS names to. the web server is not vulnerable to security breaches through FTP and vice versa. Compare baseline templates and incremental templates. web servers with different purposes.

For example. you should make sure your DNS server software is kept up-to-date with any updated versions and security patches.busicorp.2. A NetBIOS name is the name of a computer that is compatible with NetBIOS applications and legacy Windows operating systems. but you will need to implement your internal network’s name resolution on a DNS You might use an Internet service provider (ISP) to perform your public DNS name resolution. Each zone corresponds to a DNS namespace. There are a number of ways your organization’s DNS infrastructure can be compromised by might be your public namespace and busicorp. including the following: ▲ Service redirection: The site “downloads. either because of an accidental misconfiguration or an attack. An alternative is to create your private namespace as a subdomain of your public namespace. busicorp.2 SECURING NETWORK INFRASTRUCTURE SERVERS 275 addresses. When a zone stores incorrect data. You should also have a separate DNS infrastructure for your public or Internet presence and your internal network. As with any software. Problems Caused by Incorrect Zone Data Records on a DNS server are stored in zones. a user might download tainted software without . A DNS namespace is the name of the domain for your network. For example. Also. If the DNS service is running on a multihomed computer (a computer with multiple IP addresses assigned to one or more interfaces). You should use a different domain name for your public network and your private network.local might be your private namespace.8. ▲ Remote access server (RAS): a server responsible for providing network access to dial-up or virtual private network (VPN) clients. you should specify which interfaces the DNS service should be listening and responding to. The first thing you should consider is your DNS namespace. If DNS requests to this site were instead redirected to the IP address of a malicious attacker’s site. ▲ Network Address Translation (NAT) server: a server responsible for acting as a gateway between the Internet and computers on the internal network. 8.1 Securing DNS Servers One of the most important services running on your network is the DNS service. by default the DNS service will listen on all interfaces on the computer. it can lead to a variety of” is a popular location to acquire free and shareware software applications. A zone contains the records of the hosts in that namespace and special records that identify the services run by those hosts. the private domain name might be corp.

Unscrupulous companies could also use the same approach to redirect traffic from a competitor’s website to their own.1. mail. SRV records are DNS records that are used to locate a server running a particular service. they can be redirected to 10. On a Windows DNS server. many server naming conventions in companies are descriptive of the services provided by the server. Zone Transfer Vulnerability One of the simplest exploits occurs when insecure zone transfers are allowed. you accomplish this by specifying which servers are allowed to receive the zone data. If zone transfers must be allowed. Similarly. These settings can be . ▲ Information leakage: DNS servers maintain significant amounts of information about the architecture of a network. the SRV record for the Global Catalog server. Once the attacker has this information. Changing a record to a nonexistent IP address means every time someone tries to resolve the host name he or she is sent to a server that does not For example. such as a domain controller. you can see that having an entire zone returned to a server that you don’t control allows an attacker to view. If the user trusts the site and does not verify the authenticity through cryptographic signature hashes. Instead of redirecting records elsewhere. ▲ Denial of service: An incorrect record on a DNS server can also be used to launch a denial-of-service (DoS) attack. you should limit the servers that can receive a zone transfer. Insecure zone transfers allow an attacker to request your entire DNS zone.1 or another address range that does not is likely the mail server and www. In Figure 8-6. Obtaining DNS records can provide an attacker with a complete database of these names along with their associated IP is the web server. For example. This database can provide the attacker with recognizance information needed to target specific hosts without actively scanning the network itself. the Kerberos server. name servers with MX records (records that identify email servers) can be modified to redirect email from one domain to another. the consequences could be monumental. thereby giving the attacker all of the names and TCP/IP addresses of the hosts in your network.276 SERVER ROLES AND SECURITY realizing it. The attacker could spoof the DNS data so that a DNS query returns his or her server’s address when a request is made for a trusted server. A zone transfer is a method of sharing DNS records with one or more other DNS servers. among other things. In addition to the names and addresses of the hosts. the attacker knows which servers are running which services if your DNS server supports SRV records. and so he or she knows enough to direct attacks at the servers that host the services he or she wants to hijack.

sytexinc. You can only create an Active Directory–integrated zone if DNS is installed on a domain controller. which is encrypted on the network. Alternatively. } The preceding master statement specifies that it is allowed to transmit zone information to (and only to) the IP addresses of slave-1 and slave-2 DNS servers.8. from the DNS Management MMC snap-in. you should select the “Only to the following servers” option and manually add the IP addresses of the appropriate servers. The “Only to servers listed on the Name Servers tab” setting requires a DNS lookup to determine the IP address of the server. BIND name servers can also be used on Windows networks. allow-transfer { slave-1-IP-addr. eliminating the need for a DNS lookup. this is a good example of when it is appropriate for a computer to hold multiple roles.2 SECURING NETWORK INFRASTRUCTURE SERVERS 277 Figure 8-6 DNS zone SRV records. This setting would be susceptible to DNS spoofing. A better solution in an Active Directory domain is to use Active Directory–integrated zones. To mitigate the risk of DNS spoofing affecting your zone transfers. modified in the Zone Transfers tab of the DNS server Properties window. An example of an appropriate configuration for a slave follows: . An example of the allow-transfer field is shown here: zone “”. a slave should not transmit to anyone in most configurations. file “data.” { type master. }. shown in Figure 8-7. A BIND name server is a type of DNS server that runs on Unix® or Linux computers. An Active Directory–integrated (ADI) zone uses Active Directory replication. A BIND name server uses the field “allow-transfer” in the zone statement to allow you to limit the servers that can receive a zone transfer to those listed. slave-2-IP-addr.

allow-transfer {” { type slave. Instead of limiting transfers purely based on IP address. . file “copy. }. } Transaction Signatures (TSIGs) can provide additional security for conventional zone transfer”.278 SERVER ROLES AND SECURITY Figure 8-7 The Zone Transfers tab.sytexinc. sites can maintain cryptographic signatures that further guarantee their authority. zone “sytexinc.

allow-transfer { none. secret “k6ksRGqf23QfwrPPsdhbn==”. zone “sytexinc. }. DHCP) will not operate using the IP address approach. }.com”. which means that if one server is compromised. allow-transfer { key “rcdnkey”. file “” { type slave. The secure copy program. }. this can be implemented using a shared secret key. scp. The following is an example: key “rndckey” { algorithm hmac-md5. Name servers configured with dynamic addressing schemes (that is.8. is one example. but as long as they are knowledgeable of the shared key they will operate using TSIGs. }. . secret “k6ksRGqf23QfwrPPsdhbn==”.2 SECURING NETWORK INFRASTRUCTURE SERVERS 279 Starting with BIND 8. Several popular alternatives exist to conventional zone transfers. this program is manual. the key has been exposed and all are vulnerable. server master-IP-addr { keys { “rndckey”. This identifies that all requests destined for the IP address of the master name server should be signed with the shared secret key “rndckey”. }. but it can be combined with scripts and automated distributed file maintenance”.2. On the slave. }.sytexinc. zone “sytexinc.sytexinc. The benefit of this approach versus the previous IP address restriction is that it allows for more flexibility. By default. the configuration file would include the following entry: key “rndckey” { algorithm hmac-md5. file “data. In this example. }. The weakness of this design is that shared secret keys are used between the two servers. only DNS zone transfer requests that have been signed with the shared secret key “k6ksRGqf23QfwrPPsdhbn==” are processed. }.com” { type master. This key is stored in a record for each allowed transfer site.

however. a process known as forward lookup. which allows clients and DHCP servers to automatically update the host (A) and PTR records on a DNS server. you would set the Dynamic Updates drop-down list on the General tab to None. To disable dynamic updates completely. as seen in Figure 8-8. a process known as reverse lookup.280 SERVER ROLES AND SECURITY The Dynamic Updates Vulnerability Another DNS–specific vulnerability that can be exploited is the dynamic updates feature. The PTR record is used to determine the host name when the IP address is known. The most secure solution is to simply disable dynamic updates. . this would require much more administrative effort. The host record (or A record) is used to determine the IP address when a client knows the host name. Figure 8-8 Configuring dynamic updates.

net domain.8.2 SECURING NETWORK INFRASTRUCTURE SERVERS 281 If you decide to support dynamic updates on a DNS server running on Windows 2000 Server or Windows Server 2003. all applications are run from an internal web server. The site is considered trusted by the users’ browsers and will be given the permissions as such. When a DNS server must query another DNS server to resolve a name. Cache Poisoning The last major attack to DNS that we’ll discuss is accomplished by poisoning the DNS cache. In addition to the lineof-business application that processes the market trades. it has been added to the trusted zones (DNS domains for which Internet Explorer® enforces fewer restrictions) for all workstations in the domain. Because all of the applications are run from the finbank. Now when employees navigate to the site that they believe is running their business applications. anyone could create a record in your DNS zone that points to the server of their choice. Jim changes the permissions on the DNS server so that it supports only secure updates. you will want to make sure that only secure updates are allowed. which prevents unauthenticated computers from creating entries. they are in fact navigating to the attacker’s website. To support secure updates. a DNS lookup will return the address of the server—which might change—that is running the web application. . If you allow unsecure updates. After discovering the attack. including the human resources and accounting applications. the zone must be an Active Directory–integrated zone to provide discretionary access control lists (DACLs) on the DNS data. the DNS server caches that information for future requests. An attacker is able to modify the DNS entries by updating the DNS server and changing the record of the trusted server so that it points to a server that the attacker controls. The employees answer calls in a call center and process the trades using a web application. This might allow certain applets to run and access sensitive information on the workstations of the users. Poisoning the cache refers to changing the data in the cache on the downstream DNS servers such that they are pointing to bogus or malicious addresses instead of FOR EXAMPLE Preventing Attacks by Securing DNS Updates Jim is the security architect of a small financial institution that processes market trades for its customers. When employees enter the web address into their browser.

123. any requests for that cached data will be serving the malicious information.’s DNS server for the Address host WWW ABC from internet browser PC queries the ISP’s DNS server to resolve www.abcinc.’s DNS Server PC connects to 12. .11.123.282 SERVER ROLES AND SECURITY Figure 8-9 User1 requests ISP’s DNS server queries ABC Inc.11.23 ISP’s DNS Server ABC Inc.’s WWW server (12.123.23 ABC from ISP PC queries the ISP’s DNS server to resolve www.123.abcinc.23) User2 (of the same ISP) requests www.abcinc.11. You can minimize the poisoning of the DNS cache to a certain extent by selecting the “Secure cache against pollution” option (the default setting) on the Advanced tab in the DNS server Properties dialog box (see Figure 8-11). Figure 8-9 shows the correct process of DNS caching.123. If a hacker can modify the cache on the ISP’s DNS server.’s DNS server returns address for WWW: 12.11.123. where it is considered to be valid until the cache expires.23 DNS server caches and returns the result: www.11.23 from the cache ISP’s DNS Server PC connects to 12.’s WWW Server (12.23 ISP’s DNS Server ABC ISP’s DNS returns 12. In Figure 8-10. the malicious information is an attacker’s IP address.123. the proper = Proper DNS caching process. This can occur because of a malicious or invalid update to the master (upstream) server that gets propagated to a downstream DNS server.

9 PC connects to from ISP PC queries the ISP’s DNS server to resolve www.45.2 SECURING NETWORK INFRASTRUCTURE SERVERS 283 Figure 8-10 User2 (of the same ISP) requests www.9 thinking it’s ABC Inc ISP’s DNS Server Hackers WWW Server (172.abcinc.8.16.16. .com Compromised DNS cache returns attacker’s address: 172. Figure 8-11 Secure cache against pollution option.45.9) Name resolution request with a poisoned cache.45.

Another important consideration is that Internet Connection Sharing (ICS) operates as a DHCP server and always assigns addresses in the 192. A Windows 2000 or Windows Server 2003 DHCP server that is a domain member will send a DHCPINFORM message to verify that it is authorized to run and will not start the service unless authorized. including Windows NT 4.2 Securing DHCP Servers Another important infrastructure server in most networks is the DHCP server. On a Unix or Linux DHCP server.conf file as follows: host securesvr { hardware ethernet 07:fa:32:87:92:13. ▲ Denial of service by using all addresses in the DHCP scope. You can configure a DHCP scope to always assign a static address to a server. A DHCP server is configured with one or more DHCP scopes. fixed-address 192.x range. Possible threats against a DHCP server include the following: ▲ Rogue DHCP servers (unauthorized DHCP servers) assigning invalid addresses.168. you add a static configuration to the dhcpd.0. You can mitigate the risk of rogue DHCP servers on an Active Directory network by using Windows 2000 or Windows Server 2003 DHCP servers and authorizing them in the domain. On a Windows DHCP server.284 SERVER ROLES AND SECURITY 8. Server IP configuration should be manually configured.168. you can do this by limiting membership in the DHCP Administrators group and (of course) the Administrators group. Some DHCP servers. which are ranges of addresses to assign to DHCP clients. ▲ Modification of the DHCP scope information. you need to limit who has permission to modify the dhcpd. it does not eliminate the risk. To mitigate the risk of modification of DHCP scope information.2. ICS is a very simplified NAT service that can run on Windows 2000 Professional or Windows XP computers. You can sometimes tell that there is a rogue DHCP server on the network when clients begin to receive incorrect IP addresses or when duplicate addresses are assigned on a network. On a Linux or Unix DHCP server. On a Windows 2000 or Windows Server 2003 DHCP server. you should make sure to limit who has permission to modify the DHCP scope. } .1. One way to mitigate the risk of a DHCP attack is to use DHCP to assign addresses only to clients. the DHCP server can make invalid entries in the DNS zone. do not send a DHCPINFORM message.180. ▲ When dynamic DNS updates are used. Although this protection helps prevent rogue DHCP servers on the network.0.conf file. you do this by creating a client reservation.

this configuration ensures that the client can update its A record when its address Figure 8-12 Enabling auditing on a Windows Server 2003 DHCP server.2 SECURING NETWORK INFRASTRUCTURE SERVERS 285 Another way attackers might use DHCP in an attack is to assign the addresses in the DHCP scope using manual configuration. When dynamic DNS updates are enabled. The “Enable DHCP audit logging” is enabled by default.8. You can be warned of this type of attack by auditing the DHCP server. an error will occur because the IP address is already in use. you can view the audit logs in %windir%\system32\dhcp. On a Windows 2000 or Windows Server 2003 DHCP server. as shown in Figure 8-12. . When DHCP attempts to issue the address. the default settings allow clients to register the A record and the DHCP server to register the PTR record. Because only the owner of a record can modify it using dynamic updates.

This is a dangerous configuration if there are multiple DHCP servers or rogue DHCP servers. Figure 8-13 Supporting dynamic updates for legacy clients. you can change a Windows 2000 or Windows Server 2003 DHCP server’s configuration so that the DHCP server updates (and owns) both the A and PTR records belonging to legacy clients. Another precaution is to avoid installing DHCP on a domain controller because it might prevent the domain controller from owning its A records and SRV records. For legacy clients that do not support dynamic updates. especially if the DHCP server is a member of the DNSUpdateProxy group. . add the DHCP servers to the DNSUpdateProxy group to prevent the DHCP server from taking ownership of the records it creates. as shown in Figure 8-13.286 SERVER ROLES AND SECURITY changes. If you need to support legacy clients.

WINS replication copies the records registered at one WINS server to the other WINS servers on the network.3 Securing WINS Servers WINS uses dynamic registration to allow computers to create and update records in the WINS database. ▲ If replication is required. These attacks can include the following: ▲ Preventing WINS replication from occurring. monitor the configuration periodically.2. If you must include WINS servers on your network. ▲ Limit the membership in the WINS Admins group.8. If records do not exist on a client’s primary WINS server. The best way to mitigate attacks against WINS servers is to eliminate the need for them by replacing legacy operating systems and NetBIOS applications (an application that uses the NetBIOS application layer protocol to communicate on the network). ▲ Registration of invalid records.conf file. Another option is to use an LMHosts file to provide for NetBIOS lookup if only a few computers need access to NetBIOS resources on a different subnet. To prevent dynamic updates. it is best to use WINS. the group record will not be found. you should do the following: ▲ Minimize the number of WINS servers to reduce the need for replication. Keep in mind that NetBIOS broadcasts can be used for lookup instead of WINS if all computers that require NetBIOS names are on the same subnet. the client will not be able to locate the other computers on the network. enter the following line: ddns-update-style none 8.2 SECURING NETWORK INFRASTRUCTURE SERVERS 287 Dynamic updates are controlled on a Linux or Unix computer by the ddnsupdate-style parameter in the dhcpd. Most attacks against a WINS server are DoS attacks that prevent clients from locating resources on the network. One vulnerability of the WINS server is that if a host record has the same name as a group record (such as for a domain). so if there are significant NetBIOS clients that need to resolve names across subnet boundaries. However. keep in mind that the LMHosts file must be manually created and maintained. Registering an invalid record for a server can cause clients to connect to the wrong server or be unable to connect to resources on the network. You should also configure IPsec (IP security) filters to allow the following services: .

All traffic rules should be mirrored to allow for two-way communication. you can use Group Policy to prevent the Routing and Remote Access service from being started on any computer except the designated remote access or VPN servers. On an Active Directory network. You also recommend that Windows 98 client computers be replaced with Windows XP Professional computers as soon as the budget allows. A good way to do this is to make all RASs Remote Authentication Dial-In User Service (RADIUS) clients. . To prevent rogue DHCP servers on the network. you add the DHCP server to the DNSUpdateProxy group. FOR EXAMPLE Securing a DHCP Server You must configure the incremental security baseline for Busicorp’s DHCP server. 8. The company has also had a problem with rogue DHCP servers. You would also create an additional filter that blocks inbound traffic from any unnecessary services and protocols not included in the preceding list. Another important consideration is keeping the authentication policies and authorization policies consistent throughout the RASs in your organization. leaving your network vulnerable to attack. usually because an employee enables ICS. WINS Replication server (to a WINS Replication partner only).2. All ports and protocols for domain member communication with domain controllers (to domain controllers only). such as firewalls. An unauthorized RAS can bypass network protections.288 SERVER ROLES AND SECURITY ▲ ▲ ▲ ▲ WINS Resolution server (if a WINS server). The best way to guard against such an attack is to ensure that only authorized computers can be configured as RASs. WINS Replication client (to a WINS Replication partner only). you disable the DHCP Server service in the baseline server template and in the organizational unit that contains the client computers. You then enable the DHCP Server service for automatic startup in the incremental template that will be imported into the GPO linked to the DHCP Servers OU.4 Securing RASs Each RAS on your network provides an additional entry point. To prevent a DHCP server from owning the A records. The server is currently configured to allow the DHCP server to make dynamic updates on behalf of clients.

Identify the risk involved with zone transfer on a DNS server. the DCBP will specify additional settings for the various sections of the template. In this section we’ll look at the steps you should take to secure domain controllers in an Active Directory network.2.5 Securing NAT Servers You should install servers that allow clients access to the Internet on a perimeter network and make sure the appropriate firewall rules are configured to prevent unwanted network access over the Internet. If you must store a domain controller in an unsecured location. 2.3 Securing Domain Controllers A server that performs authentication on your network is one of the most critical resources to secure because it contains the database of user credentials. such as a satellite office.3 SECURING DOMAIN CONTROLLERS 289 8. 8. Linking an improperly configured GPO to the Domain Controllers OU could severely impact the operation of the domain. If an authentication server is compromised. Identify the steps you need to take before you can decommission the WINS servers on a network. Describe how a rogue DHCP server can cause a DoS attack. You control the configuration of domain controllers by creating a Domain Controller Baseline Policy (DCBP) and linking it to the Domain Controllers OU. Because these servers are so critical to the domain. It is a good idea to disable file sharing on the NAT server.8. The domain controller role is the most important server role to secure in an Active Directory environment. the attacker has access to user accounts or can create an account and assign it administrative permission on the network. 3. you should make sure that they are physically stored in a secure location and are only accessible to qualified and authorized administrative staff. there are several security settings that can be configured to minimize the potential damage from physical threats. One of the sections you can use to provide a higher degree of security is the User Rights Assignment . You should also prevent unnecessary services from running on the NAT server and ensure that confidential files are not stored there. SELF-CHECK 1. Depending on the environment you are using. You should make sure that the DCBP takes precedence over the Default Domain Controllers Policy.

you will want to enable the “Network security: Do not store LAN Manager hash value on next password change” setting. Figure 8-14 shows this setting being configured from the Security Templates MMC snap-in. The following is a partial list of the user rights assignments you might want to configure: ▲ Access This Computer From The Network: This user right gives the users granted the right the ability to communicate with the server and access shares and services over the network. ▲ Log On As A Service: This user right grants a user or group the ability to register a process as a service. ▲ Add Workstations To Domain: This user right gives the user or group the ability to join the computer to the Active Directory Domain. It is in this portion that you can specify who is permitted to perform certain tasks. According to the Windows Server 2003 Security Guide. your domain controllers should have the following rights configured in the template: ▲ Deny Access To This Computer From The Network: ● Built-In Administrator ● Support_388945a0 (a built-in account used by the Help and Support service and normally disabled) ● Guest ● All Non-Operating System service accounts ▲ Deny Log On As A Batch Job: ● Support_388945a0 ● Guest ▲ Deny Log On Through Terminal Services: ● Built-In Administrator ● All Non-Operating System service accounts When configuring the template in an environment that does not include Windows 9x computers. On a domain controller. ▲ Manage Auditing And Security Log: This user right grants a user or group the ability to configure the audit and security log. this right should be granted to Administrators only. ▲ Log On Locally: This user right allows a user or group to log on interactively on the computer.290 SERVER ROLES AND SECURITY section under the Local Policies heading. . ▲ Change The System Time: This user right allows the user or group to change the time on the computer.

8. A site is a grouping of computers that usually represents a geographic location. ▲ Intersite Messaging service (IsmServ): allows communication between domain controllers at different Active Directory sites. . ▲ File Replication Services (FRS): service responsible for transferring files and the directory database between domain controllers.3 SECURING DOMAIN CONTROLLERS 291 Figure 8-14 Preventing storage of LAN Manager passwords. ▲ DNS: required for Active Directory–integrated zones. All domain controllers have the following services configured to start automatically in the System Services section of the predefined templates: ▲ Distributed File System (DFS): a service that manages the Windows Server feature that allows multiple file shares to be represented as a single logical volume.

you must enable the Audit object access policy under Local Policies | Audit Policy. and then click “Add.4 Securing File and Print Servers Servers that share files and printers to the network need to be secured against an attacker gaining access to confidential information or violating the integrity of data. as shown in Figure 8-16. ▲ Remote Procedure Call Locator (RpcLocator): service that allows computers to find a server running the remote procedure call (RPC) service. Access control is essential to securing a file server. if you want to audit all access attempts. Describe how you should deploy a DCBP. Open the object’s Properties dialog box to the Security tab and click “Advanced. 8. Select the Auditing tab. For example. if you are not using DFS on your network.” 2. We’ll also discuss how to mitigate the risk involved with deploying FTP servers.” then click “OK.” 3. you should disable it. This is shown in Figure 8-15. Next. In addition. SELF-CHECK 1. you need to enable auditing on the specific folder or file.” For example. 8. do the following: 1.292 SERVER ROLES AND SECURITY ▲ Kerberos key distribution center (KDC): required on all domain controllers to perform authentication. type “Everyone. In this section we’ll look at some steps to take to secure a file server and a print server.1 Securing File Servers The security required on a file server will depend on the confidentiality and integrity of the files being stored on the file server. Type the name of the user or groups whose access attempts you want to audit and click “Check Names.” . First. you should enable auditing for access to files with confidentiality or integrity requirements.4. You should disable any unnecessary services. Enabling auditing for file access on a Windows computer is a two-step process. To enable auditing on a folder or file. RPC is used to allow some applications to communicate across the network.

2 Securing Print Servers The incremental template for a print server must include enabling the Print Spooler service and configuring it to start automatically. 4.4. After you have selected the appropriate permissions. you should first ensure that the appropriate permissions are set on the printer. you are auditing successful and failed deletion attempts. Select “Success” and/or “Failure” for each permission you want to audit access for. click “OK. ▲ Manage Documents permission: Users with the Manage Documents permission can manage the print queue.4. When securing a print server. In this case. printers support the following permissions: ▲ Print permission: Users with the Print permission can send documents to the printer. including deleting documents . 5.8.2 SECURING PRINT SERVERS 293 Figure 8-15 Enabling the Audit object access policy.” and then close all open dialog boxes. as shown in Figure 8-17. On a Windows network. 8.

You configure auditing . or printer configuration modification. These printers can be located and accessed through a browser. Another concern is that documents are spooled to the hard disk of the print server (stored in a file in a designated folder until it has been printed). you can enable auditing. If the print server is configured to keep documents that have been printed. it is especially important to secure these printers by setting permissions. If you want a record of printer use. print queue modification. Another potential risk is with printers that have been shared through IIS. A print queue is a list of documents (print jobs) that have been sent to the printer. Therefore. this presents a security risk because an attacker who can gain access to the spooler folder might be able to obtain confidential data from the spooled files. ▲ Manage Printer permission: Users with the Manage Printer permission can change printer settings and install drivers.294 SERVER ROLES AND SECURITY Figure 8-16 The Auditing tab. that were sent to the printer by other users.

8. Many server operating systems will come with FTP as a means for transferring files to the server. for printers on a Windows network the same way you configure auditing for files.2 SECURING PRINT SERVERS 295 Figure 8-17 Enabling auditing. As the name implies. Anonymous FTP is particularly risky and open to various attacks.8.3 Securing FTP Servers Exchanging files with the public or with unknown users will often involve the use of FTP.4. . but it is usually not enabled by default. If not locked down. an FTP server can be a point of compromise for the server and network as a whole. anyone can transfer files without being authenticated with a password.4.

Some sites configure their anonymous FTP servers to allow writable areas (for example. If these files can be read by anonymous FTP users. . You configure permissions so that the developer accounts can access only a single folder on the server and verify that they are all members of the Users group. However. The developers need to continue to use the FTP server for this purpose. System administrators at the sites being used to place or pick up items from the drop-off area might also not be aware that their users are participating in this activity. they have not. They might be unfamiliar with this type of abuse (and so haven’t taken steps to prevent it). they can also include password files or other sensitive information. Unfortunately. the word anonymous is provided. The lists (known as warez lists) commonly include the names of writable directories and the locations of pirated software. the potential for abuse exists. You also notice that a customer’s account that you had not deleted has been added to the Administrators group. the user is expected to enter his or her email address. Several of the developers have complained about poor performance when accessing the FTP server and they say the server is running out of disk space. You examine the files on the server and realize that there is a hidden directory that contains a large volume of pirated software. You also enable auditing for failed and successful account management events so that you can be warned of a future elevation of privilege attack. When prompted for a password. system administrators are unaware that this abuse is taking place on their FTP servers. in many cases. FOR EXAMPLE An FTP Server Exploited by Elevation of Privilege Busicorp has provided its clients with a more secure method of uploading financial data by deploying a VPN server. These drop-off sites are used as data repositories for the abusers to share information. or they might think that they have configured the FTP server to prevent abuse when. in fact. Abusers often gather and distribute lists describing the locations of vulnerable sites and the information these sites contain. Most FTP sites do not check that the email address is valid or even that the domain in the email matches the domain being used by the user. to make available incoming or drop-off directories for files being sent to the site).296 SERVER ROLES AND SECURITY When prompted for a username. you discover that the developers had been using the FTP server on the perimeter network to allow members of the development team to transfer files back and forth when they were telecommuting. You delete the hidden directory and all user accounts except those belonging to developers.

3. any files on the root directory would be available for downloading. Other hosts on the same network should not consider the FTP server trusted. SELF-CHECK 1. 2. ▲ Closely monitor the logs and activity to the FTP server. Be prepared to stop and isolate the server in the event it exhibits any unusual behavior. Following are recommendations to minimize the risk when using an FTP server: ▲ Lock down the server’s host. The administrator should let the users know the window of time for which the server will be up so the users can get the files they need. If anonymous FTP is enabled. In many cases. the server’s administrator expects one or more users to access the FTP server in a certain window of time. Anonymous FTP has a number of vulnerabilities.8. FTP transfers files in clear text. malicious applications might be uploaded. ▲ Do not allow anonymous access to the FTP server. you should consider using Secure FTP (SFTP) or secure copy protocol (SCP) instead. set up a separate server to handle this traffic. ▲ Turn on extensive logging on all the FTP servers. ▲ Do not put any sensitive files on the same host as the anonymous FTP server.2 SECURING PRINT SERVERS 297 An FTP server can be run securely but requires constant monitoring. If possible. List the steps required to enable auditing for file access on a computer running Windows Server 2003. ▲ If anonymous FTP is required.4. . The server should not run any other services. Identify the change to System Services you will make when creating an incremental template for print servers. Describe the credentials used by tradition on an anonymous FTP server. Therefore. place the server behind a firewall that only permits FTP access to the server. Another option is to encrypt the FTP traffic using IPsec. Also. ▲ Turn off the FTP server when it’s not actually needed.

5 Securing Application Servers The final type of server we’ll discuss are servers that run applications. On most other web servers.aspx. As it turns out. . In addition.5.html” or “index. The security measures you decide to implement on an application server depends on the criticality of the service the server provides and the confidentiality and integrity requirements of the data stored on the server and the data that can be accessed across the network by the application. Let’s look at some of the common attacks on web servers and some steps for mitigating them. the website will display the subdirectories and files in the folder. By default. a website’s default page will be displayed if the Uniform Resource Locator (URL). Our focus will be on web servers and database servers. such as files that an administrator does not intend to be available to users. As a form of reconnaissance against a site.” but you can specify a different filename for the default page. which can provide an attacker with additional ammunition against a site. does not include a filename. Enumerating Directories A common mistake made by website administrators is to allow directory listings.usno.” If the default page does not exist and directory listings are allowed. the path to the web page.” or “default. 8.1 Securing Web Servers A web server is a target for attack because of its high value and the high probability of weakness. On a server running and might accidentally leak sensitive information. Investigative Searching Pieces of information posted on the Internet are rarely forgotten (even years after being identified by a caching search engine). For instance. Servers in this category are especially vulnerable to attack because you do not have control over vulnerabilities that might exist in the applications running on the quickly turns up over a dozen email newsgroup postings. attackers will often harvest usernames by using websites to search for email addresses. Email servers and issues related to email security are discussed in Chapter 9. the web servers that provide the highest value often also provide the highest probability of weakness because they rely on multiple applications.asp. this would be a page named “index.298 SERVER ROLES AND SECURITY 8. this would usually be a page named “default. web administrators often place email addresses of employees and web masters on a web page. simple searching on the partial email address @maia.” “default.htm. each of which provides a unique username that can be used in an attack.htm.

You should consider the minimum permissions with regard to content. These steps include the following: ▲ Set suitable access control lists (ACLs) on web content. HTML is the standard language used to create web pages. One example of this is using Basic authentication on a computer running IIS. Defacing a Website Another common attack launched against web servers is to deface the website by adding content or modifying a hyperlink (clickable area on a web page that loads a different URL) so that it redirects a user to a site with malicious content. Steps for Securing a Web Server Now that you are aware of some of the dangers with web servers. ▲ Use secure communication mechanisms where appropriate. This makes it a great target for attacks. If the web server supports multiple websites. let’s look at some general steps you can take to prevent unauthorized access. You should ensure that content directories are protected by permissions to prevent unauthorized users from modifying the content.5. You will need to make sure the scripts and executables have the necessary permissions to run. make sure that each website has only the necessary services and extensions enabled to run its content. Determine what connections are vulnerable to eavesdropping and use appropriate encryption mechanisms over the connection. Software that is installed but not used is usually not secured. Internet Server Application Programming Interface (ISAPI). maintained. Basic authentication allows usernames and passwords to be passed as clear text. A server-side program is code that executes on the web server and returns HyperText Markup Language (HTML) to the browser. ▲ Install only components that are being used by the web server. and ASP. even worse. Server-side programming technologies include Common Gateway Interface (CGI).NET. Having extra services running also increases the odds that you will be attacked through a bug in one of the components.1 SECURING WEB SERVERS 299 Faulty Authorization Mistakes in authentication and authorization can lead to account harvesting or.8. The most common mechanism for Hypertext Transfer Protocol (HTTP) applications is Secure Sockets Layer (SSL). You will need to pay attention to permissions on log files to prevent alteration or revealing too much information. impersonation. . Active Server Pages (ASP). or set up properly. It is also a good idea to use server-side programs so that the website’s programming logic cannot be seen by viewing the source in a browser.

IPSec filters to deny access to the server for protocols that are not used. ▲ Remove any samples or demonstration applications. This means not only evaluating the application’s protocols. Keeping up with security updates on a web server is very important. ▲ Create a plan to back up all of the server content. As a result. PUT. You will be able to use logging information to report trends about usage and performance. ● Remove the server header to conceal the identity and version of the web server and operating system. You will need to decide how new content will get moved to the server. to name a few). they are generally not secure and can be the source of attacks. ● Filter HTTP commands. security patches are released to address them. You should understand what protocols are available and what the network infrastructure will allow. but also looking at the protocols used to manage the application and to update the content of the application.300 SERVER ROLES AND SECURITY ▲ Decide what protocols you need and filter anything else. ▲ Enable logging on the server. Logging is how you track what is happening on the server. The successful implementation of a backup plan can help you recover the server quickly in case of a security breach. . POST. BPROP. You will need to consider a plan for backing up the log files on a regular basis and determine how much information you will need to keep. UrlScan is an ISAPI filter that screens and analyzes URLs and requests before IIS has a chance to process them. However. You will need to evaluate the protocols you are using on the server. Moving content can introduce security issues if it is not carefully considered. ▲ Install and configure UrlScan if your web server is running IIS. The sample applications are meant to show a developer how to solve some particular problem or use a certain technology. like website defacement. They should be removed from production servers. ▲ Create a plan for updating content on the server. Filtering on the server should not take the place of a good firewall—it is an added precaution. IIS 6 incorporates features that make UrlScan less necessary than with previous versions of IIS. you still need UrlScan if you want to do the following: ● Filter URLs based on their length. It can also be used after a security incident to determine the damage done to the server or as evidence to prosecute the attacker. which are called verbs (GET. SEARCH. As new vulnerabilities are discovered. for more security. ▲ Create a plan to keep the server up-to-date. You will then apply TCP\IP packet filtering or.

Let’s take a look at how it happens and how to mitigate it. they are often the subject of attacks that seek to breach the confidentiality or integrity of the data they store. including Microsoft Access™.2 SECURING DATABASE SERVERS 301 8. or retrieving information from a relational database. For example. and Sybase®. removing. it is important to determine the cost of an attacker gaining access to the data on the site.8. this standard has been accepted industrywide. Statements written in SQL are capable of adding. Microsoft SQL Server.2 Securing Database Servers Because database servers are used to store data. A database server is usually accessed from a client/server application or a web application. Table 8-2: Sample Database First Molly David Barbara Margaret Last Carroll Michaels Richards Carroll Location 22305 45334 35758 44506 Organization University of Science International Sales Corporation Tungsten Tidal Association of Metallurgical Science . SQL Injection Attack Structured Query Language (SQL) is the American National Standards Institute (ANSI) standard for database query languages. a network administrator does need to ensure that the server the database management system runs on is secure. A network administrator is often not the person responsible for securing the relational database. when planning security for a database server. limiting user rights. Therefore. and creating IPsec filters to limit and secure the traffic to the server. As with most servers. A SQL injection attack occurs when a malicious user purposefully enters data into this table that will cause an error in its processing.5. A common attack launched against a database server is an SQL injection attack. However. Oracle®. this involves minimizing the server’s attack surface by physically securing the server. That job usually belongs to a database administrator. The following SQL command (query) will return the entries for customers Molly and Margaret Carroll: select * from customerinfo where last=’Carroll’. It is important that you work with the database administrator and application developers to understand who needs to be able to access the database and the protocol or protocols they will use to access it. The sample database provided in Table 8-2 is an example of a database. editing.5. Implemented in a number of database management systems. disabling services.

shutdown If the web application does not validate the data entered and the server supports the shutdown commands. this statement is syntactically incorrect and will result in an error: Server: Msg X. The user can simply add another condition to the query string. with the added single quote. Line 20 Line 20: Incorrect syntax near ’chaels’ This error would be even more serious if the malicious user were to add a semicolon and a command following the single quote that would be executed by the server: First Name: David Last Name: Mi’. the server will execute a shutdown after performing the query. Websites that use SQL as a means of authentication are just as vulnerable.302 SERVER ROLES AND SECURITY suppose that this information was collected through online registration for the International Metallurgical Convention. If David Michaels had been a malicious user. for example: Var login=”select * from users where username = ’”+ username + ”’ and password = ’” + password + ”’”. which makes it always true to grant access: First Name: David Last Name: ’ or 1=1 To guard against SQL injection attacks. . he might have tried to inject SQL into his input by entering the following: First Name: David Last Name: Mi’chaels Now the query string for this element has become the following: select * from customerlist where last=’Mi’chaels’ However. website and database developers need to be educated about the danger and add code to their applications to validate all user input before it is concatenated onto an SQL query. Level X. Take the following authentication query. State 1.

5. such as the Nimda worm and Code Red 2. If you don’t need it. You can also avoid the Code Red worm by keeping your server up-to-date with security patches. for length and allows a larger value to be placed in memory than the amount of space allocated. A buffer overflow attack attempts to exploit a program that does not validate a text value. which means that the additional information will “break the stack” and insert the value starting at the %u9090 as the next command on the stack to execute. You will need to make sure that you do not have the indexing service installed. and the %u represents hexadecimal commands (commands represented in base 16) that the sender wants to execute. Subsequently.2 SECURING DATABASE SERVERS 303 FOR EXAMPLE Code Red worm The Code Red worm was the first big worm to attack IIS and has inspired many derivatives. which would be appropriate if you depend on Index Server. the Code Red virus uses the following URL to exploit IIS: /default. This is dangerous because it means that the attacker has complete control over the infiltrated system. The Code Red exploit can occur even if the Indexing Server service is installed but stopped or disabled.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68 58%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a The N in the URL is taking up space to overflow the string buffer (a memory location set aside to store a specific number of characters). This virus took advantage of a buffer overflow error in the Index Server service (a Windows service that indexes files on a hard disk for faster search access). The stack is an internal structure where the operating system places the commands that should execute in a lastin-first-out (LIFO) order. This value represents code that will run with the permissions of the service running the code (administrator equivalent). For example. don’t install it. As a result of the buffer overflow. . the sender of the Code Red worm is allowed to execute arbitrary code with the Local System Account privileges. This is an example of why you need to make sure that you install only the products you are using. like a URL.8. the program will not allocate enough space in memory to store a text value. they will be affected by this vulnerability unless they are patched. If you have IIS 4 or IIS 5 servers that have Index Server installed.

print servers. and database servers. KEY TERMS A record Active Directory–Integrated (ADI) zone Active Server Pages (ASP) Anonymous FTP ASP. file servers. Describe how you can protect a database server from an SQL injection attack. SUMMARY In this chapter you learned some general guidelines for designing and implementing security baselines for your member servers. domain controllers. The roles covered included infrastructure servers. You also learned some best practices for securing a server based on its role in the network.304 SERVER ROLES AND SECURITY SELF-CHECK 1.NET Baseline template BIND name server Break the stack Buffer overflow attack Code Red 2 Code Red worm Common Gateway Interface (CGI) Custom template DHCPINFORM message DHCP scope Distributed File System (DFS) DNS cache DNS namespace DNSUpdateProxy group Domain Controller Baseline Policy (DCBP) Domain Name System (DNS) server Drop-off Directory Dynamic Host Configuration Protocol (DHCP) server Dynamic DNS updates Dynamic updates Fault tolerance File Replication Services (FRS) Forward lookup Hexadecimal commands Host name Host record Hyperlink . Describe how using server-side programming logic can help protect a website. web servers. 2.

KEY TERMS 305 HyperText Markup Language (HTML) Incremental template Index Server service Internet Connection Sharing (ICS) Internet Server Application Programming Interface (ISAPI) Intersite Messaging service (IsmServ) Kerberos key distribution center (KDC) Last-in-first out (LIFO) LMHosts file Manage Documents permission Manage Printer permission Multihomed computer MX record NetBIOS application NetBIOS name Network Address Translation (NAT) server Network infrastructure server Nimda worm Poisoning the cache Print job Print permission Print queue Print Spooler service PTR record Query Registry Remote access server (RAS) Remote procedure call (RPC) Remote Procedure Call Locator (RpcLocator) Reverse lookup Rogue DHCP server Secure baseline Secure updates Security template Security Configuration and Analysis snap-in Security Configuration Wizard (SCW) Security Templates snap-in Server role Server-side program Site Spooled SQL injection attack SRV record Stack String buffer Structured Query Language (SQL) Support_388945a0 Total cost of ownership (TCO) Transaction Signature (TSIG) Trusted computing base Trusted zones Uniform Resource Locator (URL) UrlScan Verb Virtualization Virtual machine Warez list Windows Internet Name Service (WINS) server WINS replication Zone Zone transfer .

A DNS server is configured to query an Internet DNS server to resolve names it cannot to evaluate your knowledge of designing server security based on a server’s role.wiley. (c) An attacker can gain information about your network. A secure baseline is a plan for applying the pieces of a trusted computing base to the appropriate computers. (d) An attacker can poison the DNS cache. Which operating systems cannot communicate with a domain controller when the “Network security: Do not store LAN Manager hash value on next password change” security policy is enabled? (a) Windows NT 4. A WINS server is only needed if you have legacy Windows operating systems in your environment. (c) An attacker can gain information about your network. how can you automate deployment of security settings to a large number of computers? (a) Import a security template into a GPO and link the GPO to an OU. Summary Questions 1. 3. True or false? 2. (c) Import a security template into a GPO and link the GPO to a Windows group. Active Directory authorization can completely protect your network against rogue DHCP servers. True or false? 6.0 and Windows 95 . (b) An attacker can perform a DoS attack against your DNS server. and Windows Me (c) Windows 95 only (d) Windows NT 4. 4. 5. (b) An attacker can perform a DoS attack against your DNS server. Windows 98. True or false? 7. (d) Grant a Windows group containing the computers the Execute permission on the security template. What is the biggest risk of zone transfer? (a) An attacker can modify host records to spoof a server. In an Active Directory domain. What is the biggest risk of this configuration? (a) An attacker can modify host records to spoof a server. Measure your learning by comparing pre-test and post-test results. (d) An attacker can poison the DNS cache.0 only (b) Windows 95.306 SERVER ROLES AND SECURITY ASSESS YOUR UNDERSTANDING Go to www. (b) Link a security template to an OU.

(b) An attacker might upload pirated software to the site. The network is an Active Directory network and there are a total of seven domain controllers: two at the main office and one at each other office. When securing a web server. Which printer permission allows users to delete print jobs that were sent to the printer by other users? (a) Print (b) Manage Documents (c) Manage Printer (d) all of the above 10. (b) Your account is not a member of the Administrators group. How can you guard against an SQL injection attack? (a) Set the query buffer size to unlimited. (c) Grant the right to modify a database only to administrators. You are configuring security for a company with six locations. (b) Instruct developers to validate user input before using it in a dynamic query. There is currently a BIND DNS server at each location. (c) You need to enable the Audit system events policy. (d) none of the above Applying This Chapter 1. You enable the Audit object access policy and select “Success. (d) Encrypt all databases. (d) You need to enable the Audit privilege use policy. (c) Add an entry preceded by a “#” to the /etc/hosts. no file access events are audited. you should enable support for all serverside extensions the web server software supports. (c) An attacker might upload malicious code to the site. 9. (d) An attacker might use a packet sniffer to obtain logon credentials.allow file. 11. Most . True or false? 12. (b) Add an entry for the host to the dhcpd.deny file.conf file. Which is NOT a risk of an anonymous FTP site? (a) An attacker might list the site on a warez list.APPLYING THIS CHAPTER 307 8.” However. Why not? (a) You need to enable auditing on the individual folders and files you want to audit. 13. How can you prevent a host from accessing a Linux server? (a) Add an entry for the host to the /etc/hosts.

but around a dozen computers at one of the offices are still running Windows 98.NET application. as performance requirements increase. However. (a) Why is it important for you to work with the development team? (b) The development team has told you that the application will be an ASP. At first. What are some security concerns and how can you mitigate them? . The offices connect through a VPN connection. You are responsible for implementing security on the web server and the database server. The service will be a web application and will use a database on a different server. A development team at your company is building an application that will be used by customers to obtain product availability information and automated support. the application will be installed on only a single web server. What are the security ramifications? (c) The development team wants to use FTP to transfer files to the server. and one print server at each other office. which accounts require them? (e) How can you ensure that a network administrator at a branch office won’t loosen the security on a domain controller? (f ) At minimum. it will be installed on multiple web servers. what security templates should enable the Audit object access policy? (g) How can you ensure that the VPN servers all use the same authentication policies? 2. with a VPN endpoint configured at each office. (a) What server roles are there on the network? (b) What changes should you make to reduce the likelihood of an attack on a WINS server? (c) How can you reduce the likelihood of an attacker learning about the hosts on your network? (d) Does the network need to support LAN Manager hashes? If so.308 SERVER ROLES AND SECURITY workstations are running Windows XP Professional. A NetBIOS application at the main office must be accessible by all users. There are between four and ten file servers at each location. A server running WINS and DHCP is also running at each office. two print servers at the main office.

Five file servers are running Windows Server 2003. A database server stores accounting information. which must be accessed through a web application. The company has an RAS at location A that provides access to telecommuters. 309 . and a traditional client/server application.0 Server. 1. Three files servers are running Windows NT 4. The company has three print servers at each office. All client computers are running Windows XP Professional. DNS. They are located at location C. There are domain controllers at each of four offices. The company’s network is configured as a single Active Directory domain. The company has a server running WINS. Identify the vulnerabilities in the current configuration and describe how you could mitigate them. and DHCP at each office. DNS supports dynamic updates. The same server is also configured as a VPN server and an FTP server. Twenty file servers are running Windows 2000 Server. The FTP server has a dropoff directory that is configured to use anonymous FTP. The web application was developed in-house and will replace the client/server off-the-shelf application within two years.YOU TRY IT Identifying Risks and Securing Servers You have been hired by a company to identify security vulnerabilities in their existing server infrastructure and to recommend changes. An administrator at each location is a member of Domain Admins.

You’ll Be Able To ▲ ▲ ▲ ▲ ▲ Identify various types of malicious code Mitigate the risk of a malware infection Configure web browser security settings Mitigate the risk of spam Identify safe email practices .com/college/cole to assess your knowledge of protecting a computer against viruses.9 PROTECTING AGAINST MALWARE Starting Point Go to www. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ Viruses Worms Trojan horses Spyware Web browser security Spam Email security After Studying This Chapter.wiley. Determine where you need to concentrate your effort. worms. and other malicious programs.

Some viruses are able to attach to data files such as spreadsheets and word processor files. which is also known as malware or malcode. In this chapter you will learn about the types of malicious code you need to guard against and some steps for mitigating the threat. we’ll look at various types of malicious code. Instead.1 Viruses A virus is a piece of code that inserts itself into legitimate software. floppies are too small to be practical for sharing applications. One of the first widespread viruses to exploit scripts was Melissa. so it does not need to be compiled (converted from human-readable source code to binary machine language) into an executable. the threat of a computer being infected with malicious code has ballooned. The virus needs the host software or file to propagate and carry out its mission. . so boot sector viruses that are transmitted through floppy disks are not common anymore. a technique known as self-propagation. it is run by an application that supports such scripts.1 VIRUSES AND OTHER MALWARE 311 INTRODUCTION As software has become more powerful and users around the world have become more interconnected. As with a biological virus.1 Viruses and Other Malware Before you can understand how to mitigate the threat of malicious code. The virus code will have the same privileges as the host application.9. In this section. the virus code runs. which spread by infecting Microsoft® Word files. the code in the virus is run every time the application runs. When the unsuspecting user launches the file to extract the video. Today. 9. A typical example of a host for this kind of virus is a selfextracting video clip. 9. A virus is able to replicate (reproduce) itself and attach itself to a host file. This chapter pays particular attention to two venues frequently used to spread malicious code: web pages and email. When the Word files were opened. Early viruses infected boot sectors of floppies and were spread by the sharing of applications on floppies. the computer virus is not viable without a host. This virus spreads by people sending the selfextracting video clip to their friends. A script is code written in a scripting language. If the virus has attached itself to an application. These viruses are scripts that execute when the file is loaded.1. you need to understand the types of malicious code being propagated (spread from computer to computer) and the methods of propagation.

. One example of a virus that propagates through email is the ILOVEYOU virus. Most worms exploit previously identified vulnerabilities that are correctable with patches or upgrades. However. The ILOVEYOU virus first appeared in the spring of 2000 and was simply an attachment that users launched. 9. After Normal. high-visibility applications. The best way to detect a Trojan horse is to identify executable files that have been altered.3 Trojan Horses A Trojan horse is a program that masquerades as a legitimate application. If an executable file is later altered to include a Trojan horse. the best protection against worms is to stay current with patches and upgrades for Windows® as well as for other major applications. the virus’s Visual Basic script sent out an infected message to everyone in the user’s address book. Another way to protect against worms is to minimize the services and applications running on a computer. Internet Information Server (IIS).1. For example. This protection should not be was infected. If a computer does not need to serve web pages and it is not being used to develop an application that relies on IIS. it can be detected by comparing the current CRC value with the baseline value. Users believe they are launching a legitimate application. The virus can either be an attachment that must be opened or an embedded script. Once launched.2 Worms A worm is code able to replicate itself and propagate to other hosts by exploiting a vulnerability in a program. the user has every indication that the expected application is running. such as a screen saver. worms often target common. Email viruses move from PC to PC as part of the body of a message. When the Trojan horse runs. a message with the virus embedded is sent to other mail clients. and can use those addresses to propagate the virus-infected message. 9. while also performing a covert function. IIS should be disabled on the computer. any Word document saved would have the Melissa virus. This is most easily done by creating a baseline of cyclic redundancy check (CRC) values for all executable files on a workstation.1. Therefore. the Trojan horse also runs additional code that performs a malicious activity. then stores the remainder of the operation. Scripts can access the user’s address book. Microsoft now has a feature called Macro Virus Protection that can stop macros from template file used by the word processor. Melissa used the autorun macros in a Word document to run a Visual Basic® script (VBScript) when an infected Word document was first opened. such as the Microsoft web server. A CRC calculates the file size and divides by a number. When the virus code is executed.312 PROTECTING AGAINST MALWARE the virus code would run and infect the Normal.

1 VIRUSES AND OTHER MALWARE 313 Trojan horses are more difficult to distribute than viruses and worms. The attacker installs a logic bomb Trojan horse on a number of computers. and . When the user clicks the button or the link. or access control lists (ACLs) because a user installs them just as they would any other application. those computers launch a denialof-service attack against the target. The use of Trojan horses to launch distributed denial-of-service (DDoS) attacks is and . network. The more computers hosting the Trojan files. It was a particularly destructive logic bomb because it was designed to overwrite the hard disk.” where the owner of the browser parasite earns money for every click. . The fact that the packets are coming from a number of locations also makes it more difficult to track down the source of the attack.4 Browser Parasites A browser parasite is a program that changes some settings in your browser. The parasite can have many effects on the browser. Logic Bombs A logic bomb (also called slag code) is a type of Trojan horse that lies in wait until some event occurs. information about the user is sent to the plug-in’s owner. The Michelangelo virus was an early logic bomb. The most common trigger for a logic bomb is a date.rar files. created in 1991. The files with extensions . such as the following: ▲ Browser plug-in parasites can add a button or link add-on to the user’s browser. . Its trigger was March 6. including Microsoft Office files. It disables file sharing security and virus protection and deletes certain file types.rar are compressed files. They do not propagate on their own. This can be a privacy concern. They rely on users accepting questionable executables from untrusted sources. When the triggering event occurs. 9. ▲ Browser parasites can change a user’s start page or search page. Michelangelo’s birthday.1. ▲ Browser parasites can transmit the names of the sites the user visits to the owner of the parasites. intrusion detection systems (IDS). The Nyxem Worm is a more recent time bomb that activates on the third of each month. This can be used to formulate a more directed attack on the user. Trojan horses are not stopped by firewalls. and organization. the more devastating the attack. in which case the code is known as a time bomb. it is known as a zombie. When a computer is controlled to launch a DDoS attack. They bypass most security controls put in place to stop attacks. The new page might be a “pay-per-click site. Trojan horses are very powerful threats to the security of a computer.9.

Census data is used to find certain zip codes that have the best demographics (characteristics such as age. applications used. it is a violation of privacy and might make it possible for the person who receives the data to steal the victim’s identity. If a Windows computer has been connected to the Internet for more than a day without any security protections in place. ▲ Copies of emails: Emails sent or received can be forwarded to the person wanting to monitor the user. the initial attack on a computer is potentially detectable by a firewall or IDS. Typical information that can be reported includes the following: ▲ User keystrokes: User keystrokes can be used to capture passwords and other very sensitive data entered by the user.1. any communications to and from the PC can be copied and sent to the spyware’s owner. Targeted marketing has long been a part of a good sales program. The use of census data and data compiled by companies that conduct market research is not as controversial because specific names and addresses have been removed. Therefore. These backdoors are often stealthy and difficult to detect. it most likely has been rooted and . and the data is a summary of statistics for the zip code.5 Spyware Spyware is a software application that gathers information about the computer and user. and websites visited are examples of other data that can be captured and reported back. Spyware does not provide the developer with summarized data. 9. and annual income) for the particular product being advertised.6 Backdoors A backdoor (also called a trapdoor) is way for an attacker to access a computer without being detected or blocked by usual security measures. the spyware can take a screen shot and send the image to whoever has developed or distributed the spyware. Often. At this point. ▲ Copies of instant messages: Essentially. So the attacker will install an application that will allow him to get back into the computer quickly and easily. unbeknownst to the user.1. number of children. ▲ Screen snapshots: Even encrypted communications will at some point be displayed in clear text on the screen.314 PROTECTING AGAINST MALWARE 9. This information is then sent back to the developer or distributor of the spyware and is often used to serve ads to the user. but instead includes specifics on a named individual. The classic example is marketers that use census data to direct more effective massmailing campaigns. ▲ Other usage information: Login times.

The worm is a Trojan horse that can be used to launch a DDoS attack and send data. Although you can delete the application. so they were easily identified as executable code. In such a case. As you can see. SELF-CHECK 1.2 PROTECTING THE WORKSTATION 315 FOR EXAMPLE Social Engineering at Work In January 2007. a social engineering attack was used to encourage users to launch malicious code. This example illustrates the fact that malware detection is a moving target. a social engineering technique used to entice users to launch the attachment. other variant subject lines began to emerge. let’s look at some ways you can protect the computers on the network against these threats.” giving the worm its name. Instead. Describe a logic bomb. Some operating system and driver modifications are difficult to detect. making it impossible to identify the worm by subject line alone. which then installed a Trojan horse and propagated itself as a worm.exe files. user education and attachment filtering helped prevent the worm from becoming even more of a problem than it was. the worm began appearing in emails with matchmaking subject lines instead of news stories. a worm called the Storm Worm was propagated through email attachments. One of the headlines used as the subject was “230 dead as storm batters Europe.2 Protecting the Workstation Now that you have a basic understanding of the types of programs you are up against. The attachments were . the best thing to do is wipe the system clean and re-install the Windows operating system. Identify the types of malware that are self-propagating. Malware protection should focus on the following: . 9. Almost immediately. you can never be sure that other changes have not been made on the computer. has a backdoor installed. within three days. In this case. 2. they use a combination of methods to launch the attack. In this example.9. The subject line of the email related to current news stories. In fact. sophisticated attacks often do not fit into a specific category.

properly configure Windows. This section will focus on protecting the workstation by looking at some general guidelines. and the number of malware attacks will increase even more. the number of malware programs that target Linux and Mac® OX is increasing. This multilevel defense against viruses and worms is shown in Figure 9-1. as well as on computers running Windows. ▲ Hardening the computer’s configuration.316 PROTECTING AGAINST MALWARE Figure 9-1 APPL Vulnerable Applications Shares Infected Workstation Floppy Target Workstation AntiVirus Protection Windows Configuration Web Downloads User Awareness Email Protecting against malware. they will become more desirable targets. Although currently a larger number of viruses and other malware programs are developed to target Windows computers. Because new viruses and worms are constantly being created. The next two sections will look at defending against the two most common methods of propagation: web pages and email. the best protection is to run antivirus software. It is important to note that anti-malware protection is also important on Linux-based computers. and educate users on safe practices. ▲ User training and awareness. As these operating systems become more popular. . ▲ The use of antivirus and anti-spyware applications.

When the next big virus or worm hits is not the time to find a flaw in the system.2. Most signature updates are obtained by accessing the antivirus vendor’s site and pulling down the latest update. There are four key steps to deploying updated signatures in a large organization: 1. you must keep your anti-spyware software up-to-date. in turn. it should be tested first and deployed from a server within the organization. or browsing web pages. antivirus software relies on periodic updated virus signature files to provide protection against the latest threats. 3. storing email messages. Most antivirus packages will allow the administrator to choose to have the new signatures downloaded automatically on a regular schedule. There are a number of anti-spyware applications. In fact. Finally. gets its files from a master server that distributes the tested update. a virus can spread throughout an organization before the next routine scan is scheduled. it is important that the computers be monitored periodically to ensure that the new antivirus signatures are being distributed properly. If the new antivirus signature is downloaded to be redistributed throughout a large organization. As with an antivirus application. A number of good antivirus products are available today. .1 Antivirus Software In today’s threat environment. some companies like Symantec and Microsoft sell an integrated package that includes antivirus and anti-spyware software. A virus signature is the pattern of bits inside a virus that allows the antivirus software to recognize it. such as those from Symantec™. Keep Current with Antivirus Signatures Because new viruses are always being released. A term describing software that protects against a variety of malware is anti-malware. The local server. 2. Download new signatures. Deploy new signatures.2. 4.2 Anti-spyware Anti-spyware software monitors a computer for spyware and allows you to remove it. Test new antivirus downloads. The antivirus software should be configured to provide real-time protection as well as routinely scheduled scanning. An organization should have protection on every computer where people are saving files.2 PROTECTING THE WORKSTATION 317 9. and Computer Associates™. Without continuous protection. McAffee®. 9. Continue to monitor. virus protection applications (antivirus programs) are no longer optional.9. Automating the process ensures that critical updates are not missed.

we’ll look at a few specific precautions: personal firewalls. A good way to configure a personal firewall is to start by blocking all traffic in and out of the computer.2. Windows XP Professional with Service Pack 2 includes Windows Firewall. Many of the same guidelines apply as for hardening servers. you should consider the rights and permissions a user has on his or her computer. ▲ Implement access control. Therefore. In a short period of time. 9. A managed computer is one that is configured through an automated policy. a properly configured personal firewall can be very specific to a user’s need for LAN traffic. On an Active Directory® network. For instance. limiting user rights. and Mac OX from a variety of software distributors. ▲ Filter traffic. For example. . Other personal firewalls are available for Windows. Linux. As the user encounters warnings of attempted activity that has been blocked. as shown in Figure 9-2.318 PROTECTING AGAINST MALWARE Some Internet service providers (ISPs) are so concerned about preventing malware that they offer security suites to their subscribers free of charge. Personal Firewalls A personal firewall is software that runs on the user’s computer and blocks incoming and outgoing traffic. including the following: ▲ Remove unnecessary services and applications. the user should be prevented from doing so. the policy is deployed through Group Policy Objects (GPOs). if a user does not need to install applications. Some things you can do include the following: ▲ Prevent users from creating automated tasks through Task Scheduler. and disabling hidden file extensions. In this section. ▲ Disable services. the user can choose to permit that traffic. the user will have unblocked the majority of traffic he or she needs and the firewall will be configured to the user’s very specific requirements. a personal firewall can be very effective. A large number of templates are available for configuring computers. Limiting User Rights Remember that malware usually runs under the security context of the user who is logged in. When used properly.3 Computer Configuration Guidelines Another important way to guard against malware is to make sure client computers are hardened.

txt. this convenience comes at a security price. By hiding the extensions. and location. On a NetWare® network. For example. publisher. File Extensions Windows has a feature that allows file extensions to be hidden from the user. ▲ Prevent users from installing applications. ▲ Restrict the software that can run based on file type. you might want to prevent users from accessing the Control Panel or from running applications unless they meet specific criteria. knowing that simple American Standard Code for Information Interchange (ASCII) text files cannot . malicious code is able to masquerade as something benign. ▲ Set permissions on directories.9. ZENworks patch management can also be used to ensure that desktop computers are kept up-to-date. you can use ZENworks® to create managed computers and restrict the features available on a desktop. ▲ Restrict membership in specific groups. Although this feature is designed to make the system more convenient and user friendly. You can also create policies that apply to user accounts. a user might be tempted to open a file named readme. For example.2 PROTECTING THE WORKSTATION 319 Figure 9-2 Computer configuration policies. as shown in Figure 9-3.

and Trojan horses on their systems. However. the user will be at risk if the real file name is readme. as shown in Figure 9-4.320 PROTECTING AGAINST MALWARE Figure 9-3 User configuration policies. worms. the malicious code in the BAT file will run with the same permissions as the user.bat. A graphic or audio file embedded for this purpose is known as a web beacon. . .bat. You disable file extension hiding by removing the check from the “Hide file extensions for known file types” check box on the View tab of the Folder Options dialog box. Remember. Some good practices for users include the following: ▲ Configure the email client to not download graphics and audio automatically. because Windows hides the true extension. 9. contain malicious code. An attacker is more likely to continue to send malicious emails to addresses on which they are opened.4 User Training Windows users can also take steps to minimize the spread of viruses. File extension hiding should be disabled on Windows systems.txt. many malware schemes depend on social engineering to propagate.2. Some malicious email includes links that will let the attacker know that the file was opened. If the user opens the file by double clicking it.

The user should have prior knowledge that the attachment was going to be sent.2 PROTECTING THE WORKSTATION 321 Figure 9-4 Showing file extensions. Many viruses today will at first appear to be legitimate messages. ▲ Do not open attachments on email that seems vague or out of character. Watch out for nondescript messages such as “Check this out.9. upon scrutiny. ▲ Only accept or open expected attachments. However. a user will be able to catch unexpected messages. ▲ Don’t open any email from strangers that contain attachments.” The sender should include information in the message that helps the recipient .

instead of “Check this out. Bobby. Security awareness training is essential to help users recognize dangerous code before installing it on their computers. an email client that does not run scripts should be used. A particularly annoying browser parasite called SpyBlast claims to locate and eradicate spyware. mailing address. FOR EXAMPLE Adding a Computer to a Network Securely When adding a new computer to the network. You install the anti-malware program and it detects and removes the spyware. However. Next. . who then knows too much information about you. ▲ If questionable email must be received and read. When setting up a new computer.322 PROTECTING AGAINST MALWARE trust the attachment. In many cases. The spyware monitors the data you enter and sends it to an advertiser. you are asked to type in your email address. Consider this scenario. For example. Otherwise. it is important that you harden the computer before attaching it to the network. the preceding procedures require a judgment call on the part of the user. but in actuality it displays pop-up advertisements. your private data has already been compromised. If attachments from this mailing list are routinely opened. There are circumstances when a user is part of a public mailing list in which the members routinely share files. When you reach the website distributing the anti-malware. While browsing the Web.” the message should be “Bobby’s graduation pictures. along with anti-malware software before connecting the computer to the Internet. use a separate email client that is less susceptible to viruses. Another important consideration is to make sure you use a trusted source for anti-malware applications. and credit card information. You install Windows XP Professional on a computer and add it to the network. you browse the Web to locate an anti-malware program. you should always install the latest service packs and security updates. Macros should be enabled on a case-by-case basis.” where the sender. and a graduation are familiar or expected. you unintentionally download spyware. A type of malware that displays popup ads or other advertisements is known as adware. ▲ Use macro protection in spreadsheet applications and word processors. you run the risk of installing malware before the computer has been completely configured and the latest security updates installed. phone number.

this information is stored in a database of some sort. client-side code can do a lot of harm to a computer. these technologies improve the browsing experience. the opposite is probably true. In most cases. What is a virus signature? 3. Run executables such as Java™ and ActiveX® on the web browser host. However. The best defense a user can have against an unsecure web server is to limit the sensitive data that is transmitted to the server.3. productivity. What should malware protection focus on? 2. However. When used legitimately. Web applications often have dynamic elements that execute on the client. The convenience. The hacker who develops an attack for a common web browser is sure to find many susceptible targets. This section looks at some of the risks associated with web browsers and how to mitigate them by configuring browser security settings and educating users.9. What is the function of a personal firewall? 9. All the data that users enter into their browsers is ultimately processed on the web server. Most typical users trust businesses to make sure their data is secure.3 WEB BROWSER SECURITY 323 SELF-CHECK 1. and popularity of web browsers make them a prime target for hackers and would-be attackers. Run scripts written in JavaScript® or VBScript on the web browser. ▲ The browser runs malcode in the form of scripts or executables. . Launch various plug-ins such as an audio player or movie player. Their convenience is greatly enhanced by their capability to do the following: ▲ ▲ ▲ ▲ Run Common Gateway Interface (CGI) scripts on the web server.1 Web Browser Risks The security risks associated with browsing the Internet can be grouped into several categories: ▲ The web server might not be secure. 9. when used maliciously.3 Web Browser Security Web browsers today provide a lot more features than simply rendering images and HyperText Markup Language (HTML) code.

such as VeriSign®. Therefore.3. and are potentially susceptible to man-in-the-middle attacks. This risk can be reduced when the web server uses Secure Sockets Layer (SSL) to encrypt the data transmitted and received. For example. meaning that each request is sent independently. It is up to the developer to be honest about the safety level of the control. Figure 9-5 shows some of the security settings you can configure to control how ActiveX controls are downloaded and executed by Internet Explorer® 7. For example. but are essential to many web-based applications. such as hijacking and replay. To mitigate the risk of using ActiveX. The Macromedia® Flash® plug-in allows you to view and interact with Flash animations. ActiveX ActiveX is a technology developed by Microsoft for creating reusable content that can be distributed over the Internet or through an application installation. if a control is safe for scripting. ▲ An attacker might employ a man-in-the-middle attack. the Adobe® Reader® plug-in allows you to view Portable Document Format (PDF) files in the browser window. A control that is safe for execution should not modify files on the computer or perform other harmful tasks when it is added to a web page. These features come with security risks. it is important that you understand what these features are and why they present a risk so that you can configure the browser to limit or provide support for them according to a user’s requirements and the organization’s security policy. it should not allow a web page developer to set a path to a file. A control that is safe for scripting should not allow parameters that could be used for harmful purposes to be set in script.324 PROTECTING AGAINST MALWARE ▲ An attacker might eavesdrop on network traffic. The digital signatures can then be certified by a trusted certifying authority. Web-based applications are sessionless. The developer can also indicate whether the control is safe for scripting and/or safe for executing. . ActiveX controls are user interface elements that are embedded in a web page and must be downloaded to the client. 9. Users should be aware that the security of the data transmitted to and from the web server is no more secure than the security of the network on which it travels. Plug-ins A plug-in or add-on is an addition to the browser that allows you to open a specific type of content. each control can be digitally signed. ▲ A website might add browser parasites to your browser. The use of ActiveX is a security risk because the browser places no restrictions on what an ActiveX control can do.2 Web Browser Technologies Browsers support several types of client-side code.

Java has a large number of security safeguards intended to avoid attacks. A security manager monitors what the applet does . Java Java applets are programs written in the Java programming language that are run on the user’s workstation. Few users that accept an unsigned control appreciate the risk involved. At this point the user can elect to accept the control or cancel the download.3 WEB BROWSER SECURITY 325 Figure 9-5 ActiveX control settings. This is an area where user education is essential to preventing the installation of malevolent code. the browser presents a dialog box warning the user that this action might not be safe. If the browser encounters an ActiveX control that hasn’t been signed (or that has been signed but certified by an unknown certifying authority).9.

the general concept that JavaScript is a potential avenue for the loss of private data still exists. ▲ Applets are generally limited to reading and writing to files in a userdesignated directory. read. names of files downloaded. The following security features are part of the Java design: ▲ The security manager does not ordinarily allow applets to execute arbitrary system commands. The script cannot access any other domain other than the one from which it originated. This limitation was created to reduce the risk of an applet spying on the user’s private documents and transmitting the information back to the server. The basic approach was to eliminate the possibility of JavaScript code doing insecure activities by not providing commands or objects for those activities. The following are some examples of the security protections with JavaScript: ▲ JavaScript cannot open. or to open up system device drivers such as disk drives. write. JavaScript can access information available to the browser. to load system libraries. However. ▲ JavaScript can only access the domain from which it was downloaded. This means the scripts could hit CGI programs that run on the web server. and can make Hypertext Transfer Protocol (HTTP) requests. A script cannot even list files and directories. ▲ The security manager allows Java applets to read and write to the network and to read and write to the local disk but not to both. ▲ An applet is only allowed to make a network connection back to the server from which it was downloaded. The designers of JavaScript built security into the language itself.326 PROTECTING AGAINST MALWARE and prevents it from performing tasks that are known to be risky. JavaScript JavaScript is a scripting language that can be executed by most browsers. For instance. ▲ JavaScript cannot access the network or network resources. such as URLs. Over the years. The language does not have any objects for connecting or listening to the network interface. Scripts can request URLs and send other HTML information such as forms. a number of security vulnerabilities have been discovered when using JavaScript. and so on. cookies. Patches and updated browsers have eliminated most of the security problems. . create. or delete files. The language does not have any objects for managing files.

9. This information is stored for the convenience of the website or for the convenience of the user. or after an elapsed period of time. A persistent cookie is one that will survive reboots and last for a predetermined period of time. All future traffic in the session is then channeled between the web server and the attacker. the initial authentication. Some browsers delete nonpersistent cookies when the user closes the browser. More and more people are becoming wary of cookies. so when the computer is turned off or rebooted. Therefore. In this way. The web server has no control over how the browser stores or disposes of the cookies. the attacker does not have to re-authenticate (usually for the remainder of the session). and when used maliciously can present a threat to a user’s privacy. Some marketing companies have attempted to exploit user behavior by trying to capture these persistent cookies.3. A nonpersistent cookie (also called a session cookie) is stored in memory. Therefore. the server can ask the browser to check if it has any cookies and.” This file can be read and edited by the user or system administrator. if it does. There is no assurance that every browser will handle nonpersistent cookies the same way. the attacker bypasses one of the major security features of the web-based session. The contents of the cookie are under the control of the web server and might contain information about you or your past and present surfing habits. the cookie information is lost. 9. Persistent cookies are traditionally stored on the hard drive in a file such as “cookies. There are two general types of cookies: persistent and nonpersistent. many sites are starting to use nonpersistent cookies. The attacker modifies the captured traffic to allow the attacker to impersonate the client. especially those that can be used to track users over time. Hijacking Attack Session hijacking occurs when an HTTP session is observed and captured by a network sniffer.3 Specific Threats to a Browser Session Now that you are familiar with some of the web technologies and the general risks they present. This could include cookies from completely different websites. When a new request is made. let’s look at some specific attacks that target web browsers and sessions with web servers. The hijacking is usually done after the legitimate user has authenticated to the web server. navigates to a different website. it merely tells the browser whether the cookie is meant to be persistent or nonpersistent.3 WEB BROWSER SECURITY 327 Cookies A cookie is an ASCII file created by a website to store information about the user visiting that site.txt. to pass those cookies back to the server. The browser can potentially pass any cookie to a web server. .

The cookie authenticates the attacker as a valid user. If the replay is successful. they might be able to inject themselves into the middle of the session by presenting the intercepted authentication cookie or credentials. the web server will believe the replayed traffic to be legitimate and will respond accordingly. The attacker gets access to the application. The attack involves the following steps: 1. 2. A valid user performs some web activity that results in him or her acquiring a cookie. 3. Hijacking when cookies maintain state. The cookie authenticates the attacker as a valid user. If the attacker can understand how state is maintained. 2. The cookie is stolen or captured by an attacker. The cookie is transmitted with the attacker’s attempt to access the application. Figure 9-7 illustrates session replay. Replay Attack As with a hijacking attack. the first step in a replay attack is to capture HTTP packets for a session. The hijacking attack exploits a weak method of maintaining state (information about the current session).328 PROTECTING AGAINST MALWARE Figure 9-6 Hijacking Web Server 1 Cookie Valid User Web Page 1 Valid User Web Page 2 2 Web Server 3 Cookie Cookie 1. A valid user does some web activity that results in him or her acquiring a cookie. The cookie is stolen or captured by an attacker. The modified session is then fed back onto the network. The attacker gets access to the application. This is illustrated in Figure 9-6. This could produce a number of undesirable results. might not require modifications). such as transferring bank funds. . Some aspect of the session is then modified (certain replays. 3. The cookie is transmitted with the attacker’s attempt to access the application.

Depending on whether the attacker had to do spoofing. .4 Browser Configuration Web browsers. The responsibility is on the web server to prevent replay attacks. respond to emerging security threats.000 from account A to account B”. The web page is retransmitted. 4. 2. The attacker can retransmit numerous times.9. web browsers were very vulnerable.3 WEB BROWSER SECURITY 329 Figure 9-7 Replay Web Server 1 Valid User Transaction Request 2 Valid User Acknowledge Transaction Web Server 3 1. 3. The web page holding the transaction request is stolen or captured by an attacker. Depending on whether the attacker had to do spoofing. 3. The web request is stolen or captured by an attacker.000 from account A to account B. and users are now able to set various configuration settings to improve the security of their web browsers. Replay attack. In the early years.” There might or might not be a cookie. 9.3. A valid user does some web activity such as “Transfer $5. an additional $5. the acknowledgment might go back to the valid user’s IP address. They had features making them convenient and productive but had no means for the user to make them more secure. The transaction is repeated. A valid user performs some web activity such as “Transfer $5. The transaction is repeated—an additional $5.000 is transferred. where it is dropped because no session is open. The web server should be able to recognize replayed traffic as no longer being valid. The following steps are involved in a replay attack: 1. The attacker can retransmit numerous times.000 is transferred. like most Internet applications. Web browsers have evolved (due to the security threat). There might or might not be a cookie. the final acknowledgment transaction might go back to the valid user’s IP address where it is dropped beccause no session is open. 4. 2. The web request is retransmitted.

Often users will not change any of the browser’s security configuration settings. ▲ The certificate or the certificate of the server that issued it has been revoked. we’ll look at some areas where you can configure a browser to help mitigate the risks. or even know they exist. If a problem has been identified with the certificate. If the name of the web server doesn’t match the name on the certificate. administrators who initially attempt to secure browsers are often beaten back by the onslaught of complaints and requests for help. Some of the settings related to digital certificates in Internet Explorer 7 are shown in Figure 9-8. as discussed earlier. ▲ The certificate is currently invalid or has expired. the browser will report the problem. Legitimate websites will keep their certificates up-to-date. Secure Socket Layer The Secure Socket Layer (SSL) protocol provides for the encryption of traffic between the web browser and server. The customization. Each transaction uses a different key. the user is prompted whether or not to accept the certificate. SSL uses public-key encryption to exchange a symmetric key between the client and server. for security purposes.330 PROTECTING AGAINST MALWARE The problem with relying on the user to make security configuration decisions is that most users are not sophisticated and savvy when it comes to securing a web browser or even understanding the threat. In the end. This could indicate that the certificate has been stolen and is being used by a third party. The host name of the web server is a fixed part of the site certificate. In this section. However. ▲ The common name on the certificate does not match the domain name of the server. If the encryption for one transaction is broken. As a result. this symmetric key is used to encrypt the HTTP transaction (both request and response). is then left to the system or network administrator. browsing has become such an accepted norm for convenience and productivity that few users will tolerate less than total functionality. the other transactions are still protected. the administrator must relax the web-browsing security settings. A properly configured web browser will warn the user of a certificate problem if any of the following occur: ▲ The certificate was not signed by a trusted certificate authority. Settings related to digital certificates when using the Firefox® web browser on a Linux computer are shown in Figure 9-9. .

the user can decide in each case if the information put into the browser for . ▲ Limit the websites that can download cookies.9.3 WEB BROWSER SECURITY 331 Figure 9-8 Certificate settings in Internet Explorer 7. Configuring Support for Cookies Some configuration settings that can be set on the web browser to mitigate the risk of a loss of privacy due to cookies are as follows: ▲ Turn off all cookies. In this way. The browser can be set to ask the user if any particular cookie should be accepted.

▲ Force all cookies to be nonpersistent. ▲ Only return cookies to the originating domain. . In most cases. when prompted to accept or reject a cookie. This will mitigate the risk of a third-party site trying to get private data about a user. that particular site poses a privacy risk. the user has the option to accept all future cookies from this website. Cookies originate (are sent to the browser) from a web server. A cookie that sends data to a different domain is known as a third-party cookie. The browser can refuse to send these cookies back to any website other than the one that created the cookie in the first place.332 PROTECTING AGAINST MALWARE Figure 9-9 Certificate settings in Firefox.

as shown in Figure 9-10. ▲ Clean out persistent cookies.9. Periodically.3 WEB BROWSER SECURITY 333 Figure 9-10 Configuring cookie support in Internet Explorer 7. . As you can see. you can set a general policy level. In Internet Explorer 7. but configure individual sites as exceptions. cookie policies are defined on the Privacy tab of the Internet Options dialog box. Firefox allows you to configure cookies by displaying the Preferences dialog and clicking Privacy. go into the browser settings and delete any persistent cookies. The Cookies options are shown in Figure 9-11.

This is one zone to which you cannot add sites. The zones are as follows: ▲ ▲ ▲ ▲ Internet Local intranet Trusted sites Restricted sites Internet Zone The Internet zone contains all websites the user hasn’t placed in any other zone. Unless security is relaxed for a particular site. this is the default zone.334 PROTECTING AGAINST MALWARE Figure 9-11 Configuring cookie support in Firefox. all websites that are not . In a sense. In other words. the security settings the browser uses will depend on which zone the website being requested resides in. 9. By default.5 Internet Explorer Security Zones Internet Explorer orients the Security settings around the web content zone of the site to be accessed by the web browser. as shown in Figure 9-12.3. it will be put into the Internet zone and have default security settings.

3 WEB BROWSER SECURITY 335 Figure 9-12 Internet Explorer zones. as well as the addresses of any proxy server exceptions you might have configured. the trusted sites zone. The local intranet zone contains local domain names. To be effective. These sites are considered to be more trusted than those that default to the Internet zone. added to the local intranet zone.9. are placed into the Internet zone. or the restricted sites zone. the local intranet zone should be set up . Local Intranet Zone The local intranet zone is intended to contain all websites that are on the intranet of the user’s organization.

in December 2006. . Or better yet. However. The attack is performed by modifying the link to a PDF document on a website. Instead. your computer will be vulnerable. Trusted Sites Zone The trusted sites zone contains websites that the user trusts will not damage the computer. The user should also trust this site with sensitive or personal data. this vulnerability could be used to create a number of attacks. Be cautious when adding sites to the trusted sites zone. The Security settings can require SSL for all the sites in this zone. The flaw exists when the plug-in is used in Internet Explorer 6. This zone should rarely be used. download them to the hard disk and open in them in Acrobat Reader. The modified link includes code that exploits the vulnerability in the plug-in. It has long been regarded as a secure way to distribute information on the Internet. Few websites need the added features of this zone. in conjunction with a local area network (LAN) proxy server or firewall. you need to avoid opening PDF documents within the browser. upgrade your browser to one that does not have the flaw. Restricted Sites Zone The restricted sites zone contains websites that could potentially damage your computer or data.336 PROTECTING AGAINST MALWARE FOR EXAMPLE Flaw in Acrobat Reader Plug-in Many companies and government offices post PDF files on their websites to provide users with information and even to allow users to fill out and print or submit forms. The default security level for the restricted sites zone is High. The intent is that all sites in the local intranet zone are on the local network and inside the firewall. According to researchers. If the site is compromised at some point in the future. researchers discovered a flaw that will allow attackers to execute malicious code when a user clicks a PDF document link. including installing Trojan horses and accessing data. What do you do to mitigate the attack? If you are using one of these browsers. Most web sites that might be put in this zone will probably operate equally well in the local intranet zone.0 (and earlier) and in Mozilla’s Firefox browser.

rather. or gateways through which the email traverses. replay. Figure 9-14 shows a captured IP packet from an SMTP session. Other man-in-the-middle attacks do not require control of a device. the popular email protocols Post Office Protocol (POP3) and Simple Mail Transfer Protocol (SMTP) have transmitted email in clear text. The text of the email can be clearly seen in the raw packet. and images from only specific sites. 9. you can allow pop-ups. it is a prime target for hackers developing attacks.4 EMAIL SECURITY 337 9.9. and JavaScript. Despite its critical role in the typical Internet user’s life. Attacks on email focus on two areas: the delivery and execution of malcode and the disclosure of sensitive information. In this section we’ll look at how to mitigate both types of attacks. As you can see in Figure 9-13. Therefore. In this section. email has made the Internet popular. loading images. and indispensable for most users. the attacker must have control of one of the many firewalls. SELF-CHECK 1.1 Attacks that Disclose Data For many years. Email Man-in-the-middle Attacks In some man-in-the-middle attacks.4. widespread. the text “My passcode is S0nnyB0y” can clearly be read. In the preceding sample packet. routers. the attacker merely needs to reside on the same local area network (LAN) segment .3. It is only slightly more difficult to modify the text in the email by modifying the packets.4 Email Security Along with web browsing. we’ll look at each of these types of attacks. Compare persistent and non-persistent cookies with regards to the security risk. or phishing attack. Email is widely used and has well-defined and universally implemented protocols. 9. Because email is transmitted in ASCII text. Java. Identify and describe the four security zones in Internet Explorer. The capturing and modifying of email can be done via either a man-in-themiddle. installed software.6 Configuring Web Features in Firefox The Firefox browser allows you to configure feature support for pop-ups. email is comparatively insecure. installing software. the words typed into an email message are easily viewed and read at the IP packet level. 2.

and therefore the email traffic must reach the server via a gateway. 2. to intercept and potentially modify all email packets going to and from the mail server or gateway. the attacker can use an Address Resolution Protocol (ARP) spoofing tool. as one of the computers sending or receiving the email.338 PROTECTING AGAINST MALWARE Figure 9-13 Web Features settings in Firefox. There are four possible locations to attack: 1. Between the email client and server: This situation assumes that the client and server are on the same LAN segment. Between the email client and the gateway: The gateway must be in the path to the mail server. Between the gateway and the mail server: This option assumes the client and the server are not on the same LAN segment. In this case. the attacker gets between any two hosts in the email transmission path. such as ettercap. Between two gateways: The gateways must be in the path between the client and the server. 4. In an ARP spoof attack. 3. .

.. The packets are then read and possibly modified..@... Man-in-the-middle attacks can be avoided by using encryption and by digitally signing messages... The recipient is able to decrypt the hash with the sender’s public key and verify the email to have been unaltered. and the message put back on the network at a later time (replayed)... r.Mom... a. Figure 9-15 illustrates the network configuration for the ARP spoofing attack._.4 EMAIL SECURITY 339 Figure 9-14 Destination IP Source IP 0000 0010 0020 0030 0040 0050 0060 0070 0080 0090 00 0a f4 5f 20 b6 00 06 00 89 eb 84 40 00 40 06 72 10 30 00 00 19 ec 85 16 d0 c5 64 00 00 01 01 86 a2 4d 6f 6d 2c 20 70 72 65 20 6d 65 20 24 31 79 20 62 61 6e 6b 20 61 20 34 35 36 37 2d 39 38 70 61 73 73 63 6f 64 65 79 42 30 79 2e 0d 0a 5b ec f8 35 08 00 45 10 61 17 c0 a8 7b 63 3f a7 27 88 c5 f9 95 a3 80 18 08 0a 00 01 ff c3 30 93 6c 65 61 73 65 20 77 69 30 30 30 20 74 6f 20 6d 63 63 6f 75 6e 74 20 23 33 32 2e 20 20 4d 79 20 20 69 73 20 53 30 6e 6e .... identical email to be received.@. The danger or damage occurs when the second email is accepted as legitimate and causes unforeseen consequences.... This causes a second.. please wi re me $1000 to m y bank account # 4567-98 32.. . If the encryption is sufficiently strong. In the ARP spoofing man-in-the-middle attack.. .... Email Replay Attack An email replay attack occurs when an email packet (or set of packets) is captured..[.. the email’s IP packets are intercepted on their way to or from the mail server..’... The attacker then arranges for a nominal transaction .E.. . For example. Digital signatures ensure the integrity of the body of the email message. the attacker will not be able to decrypt and alter the email.{c?. . the total length of the packet cannot grow to a size larger than the maximum allowable for transmission on the network. An attacker could not alter the message or the hash (digital signature) without being detected..9...0. My passcode is SOnn Data A captured IP packet clearly shows email text. Replay might be used if an attacker discovers a business that sends financial transactions over email.d.. the email message extracted.... Figure 9-16 illustrates how a digital signature is created and attached to the email. The attacker has some minor limitations when modifying the packets.5 ..

. or Router No Attack Man-in-the-Middle ARP Spoofing Attack Direct communications do not occur—the Man-inthe-Middle interrupts the ARP request/response Mail Server Email Client or Gateway Attacker sends ARP requests and responses on behalf of the Mail Server (or Gateway) Mail Server or Gateway Attacker sends ARP requests and responses on behalf of the Mail Client (or Gateway) Man-in-the-Middle All traffic between the email client (or gateway) and the email server (or gateway) passes through the Man-in-the-Middle ARP spoofing attack. Firewall.340 PROTECTING AGAINST MALWARE Figure 9-15 Under normal circumstances the two hosts exchange MAC addresses and send traffic directly to each other. Mail Server Email Client Gateway. Email Client If one or more gateways are between the Client and the Server. then the traffic must first be sent to each gateway.

In the case of a replay attack.4 EMAIL SECURITY 341 Figure 9-16 Email Message <Header> Email Message <Header> <Header> <Message Body> <Header> <Message Body> <Message Body> <Message Body> <Digital Signature> Email Message is Hashed and then Encrypted with Sender’s Private Key Digital Signature is Appended to the End of the Email. Only the Sender’s Public Key is Needed to Verify the Signature -----BEGIN PGP SIGNATURE----Version: GnuPG v1. shown in Figure 9-17. The attacker merely needs to be on one of the many segments that the email packets traverse on their way to or from the mail server. the attacker does not have to use the gateway or ARP spoofing. (perhaps a $100 refund).4 (GNU/Linux) iD8DBQBBArSITQBr3QfcFjQRAvN5AJ9soay9gU0OjVG/ w9iW1KVnd0GwVQCgqvg5 5hCs97VimYCbmAbJwiV9W6g= =mFg3 -----END PGP SIGNATURE----Attaching a digital signature. causing several refunds to occur. The attacker captures the email authorizing the refund and replays it several times.9. To launch a phishing attack. . such as a bank account number or logon credentials for an online banking website.2. Phishing A phishing attack is one in which a user is tricked into clicking a link in an email and divulging confidential information.

2 Spam Spam is an unwanted email. 9. the spoofed email does a good job of impersonating an actual email that might be sent by eBay. Attacker Sniffing the Line. We’ll talk about spam next. It is a major irritant and consumer of resources.4. the best way to mitigate the risk of phishing attacks is to train users to never click on a link in an email or to verify the actual address of the link before clicking it. Also. However. Captures an Email 2. In this case. the ISP’s spam filter was able to identify the message as spam and marked it as such in the Subject line. However. such as a bank. or eBay®. The email includes a link that appears to be to the legitimate site. but from ebay. From a security perspective.342 PROTECTING AGAINST MALWARE Figure 9-17 Network with Mail Server Mail Client 1 (Sender) 1. It has been estimated that for some of the large email providers. Spammers (people who send spam) make money by getting their advertising message out to thousands or millions of people. over half of the email they service is spam. spam is a potential denial-of-service (DoS) problem.0 provides a phishing filter that attempts to determine whether a site is legitimate. Very few will respond positively . Notice that when you mouse over the link. notice that the email does not originate from ebay. Internet Explorer 7. PayPal®.eu. In gross terms. Attacker Modifies and Resends the Captured Email Mail Client 1 (Recipient) 3. Figure 9-18 shows an example of an email sent in a phishing attack. but that actually goes to an imposter site. this means that these providers could get by with half of their current resources to handle their customers’ email. an attacker sends email that pretends to be from a legitimate company. an address appears that is different from that of the legitimate Spam has become a serious problem in today’s networking environment. Recipient Believes They Have Received Two Emails from the Sender Attacker Email replay attack.

4 EMAIL SECURITY 343 Figure 9-18 Phishing attack email. This results in a flood of email traffic to the forged address. Spammers take steps to hide their originating (From:) address.9. If a spammer does not use a valid domain. In this case. This address can be either fake (such as “yourfriend. essentially shutting down the address for legitimate use. the spam can be blocked by testing that the email was sent from a legitimate domain. or blacklisted. complaints. . the spammers could be tied up in legal proceedings.spam”) or a legitimate address that is not owned by the spammer. The most prevalent DoS attack that occurs due to spam is when a spammer forges an address on thousands or millions of mail messages. Spammers view email headers as a possible Achilles heel that can hurt them. a domain is legitimate if it returns a value when a domain name system (DNS) lookup is done. The result is tens of thousands of bounces. fined. Spam DoS Attacks Spam DoS attacks can be launched by spammers using false domains in the emails they send. but even a very small percentage of responses will produce enough activity to make the spamming profitable because it is very cheap to send email. Spammers put their advertising message into the body of the email and view email headers as a necessary encumbrance needed to get the body delivered. If users and ISPs are able to trace the spam back to the source. Some spam even uses your own email address as the sender. and a few responses. This is easily done if spammers run their own email servers. to the message. Blacklisting is discussed a little later.

When a spammer’s email arrives. Often. This is known as the naive Bayes classifier. Also. It includes an attachment. the ISP did not identify it as spam. and this address then gets blacklisted. ▲ Blacklist providers exchange lists.344 PROTECTING AGAINST MALWARE Another DoS situation occurs when the spammer forges a valid email address. Some blacklists are implemented by placing offending IP addresses in a DNS database. which should not be opened under any circumstances. When this occurs. One method is to insert word salad (a set of random or pseudorandom words) into the text of the message. However. Any email received is automatically unsolicited and therefore spam. The site parses out the offending originating email IP addresses and adds them to the blacklist. ISPs and bandwidth providers subscribe to these blacklist databases to filter out spam sent across their network or to their subscribers. this method of classification often results in non-spam being classified as spam. the user of the valid email can experience obstacles to sending legitimate email to users whose ISP uses blacklists. here are two letter salad subject lines: ▲ Why seek? Choose any love pi11 you want! ▲ Re: primar VIAttGRA Figure 9-19 shows an example spam email that uses both word salad and letter salad. For example. Spam Filters Spam filters attempt to identify spam from the content of the message subject and body. based on identifying words that frequently appear in spam. but the Norton AntiSpam™ application did. In this example. including the following: ▲ The email user community sends samples of spam to the blacklist site. . spammers have begun to use various methods of preventing spam filters from working. blacklisted addresses return invalid responses so the server rejects the email. Blacklisting A blacklist is a database of known Internet addresses (by domain names or IP addresses) used by spammers. Another is to use letter salad to disguise words in the subject that are frequently associated with spam. This is a good illustration of why multiple layers of defense should be used to protect against malware. However. Lists of IP addresses to be added to the blacklist are collected in different ways. a DNS lookup is conducted to verify that the sender’s email address is legitimate. ▲ The blacklist provider runs its own mail server and fake email address.

user education can go a long way toward thwarting such an attack. 9.3 Protecting Against Malcode Propagated by Email Most malcode transmitted by email is not activated unless a user opens the email or the attachment. You can avoid most email-propagated malcode attacks by properly using your email. ▲ Set up one or more sacrificial email addresses. ▲ Keep your email address private. Avoid providing it whenever possible on websites and other interactive forums such as chat rooms.4 EMAIL SECURITY 345 Figure 9-19 Sample spam. The following are some guidelines users should keep in mind: ▲ Be paranoid.4. Therefore. the user should have a sacrificial email . When an email address must be provided to a website.9.

Keep email for different organizations separate. are configured to block attachments with risky file extensions. are downloaded automatically. These settings are shown in Figure 9-21. . the user will be vulnerable to worms and viruses. When an email is received on this account. As discussed earlier. 9. Scripting capabilities of the email clients should be disabled whenever possible. The ramifications of receiving and propagating malicious code in a work environment might be more damaging than at home. if scripts are executed by the email client. If supported. this will mean one account for work and a separate account for home. This protection should be kept enabled and you should add file extensions to the list as attacks emerge. by phone. they should be compressed when they are sent. All curiosity must be resisted. You should not turn on automatic download for all senders. turn off the preview function on your email client. You can also determine whether elements in HTML pages. The default is to not download automatically unless the site is included in the trusted sites zone or if the sender has been added to the Safe Senders or Safe Recipients list. including Outlook and Outlook Express. the friend will follow up and explain what is in the attachment. or by a second email (initiated from the user). If scripts must be passed around. You can configure email encryption and digital signatures to protect the confidentiality and integrity of the messages you send. as shown in Figure 9-20. Some users would be surprised to find how easily life proceeds without opening risky emails and attachments. The user should resist the temptation to browse through the emails received on this account. and examined before being executed.346 PROTECTING AGAINST MALWARE ▲ ▲ ▲ ▲ ▲ address to use. Never save or open attachments that are not absolutely needed. Common sense can be a strong deterrent to the spread of malicious code.4 Mail Client Configurations Microsoft Outlook® uses the same security zones as Internet Explorer to allow users to customize whether scripts and active content can be run in HTML messages. The verification can be in person. In most cases. Some mail clients. If it is really important or of special interest. An unexpected “Read This” or “Try This Game” should be ignored until the user can verify the sender’s intentions. Do not open any email that is not expected. the user knows that there is a high likelihood that it will be spam or malicious in nature. such as pictures. saved to a file. Never save or open attachments from strangers. The fact that a friend wants to send a user an attachment does not obligate the user to open it.4.

If configured properly.9. This computer also should not contain critical applications that can’t be lost or large-size organizations benefit from having all their mail received first by a mail relay or mail proxy. viruses. It should . the relay can check for unwanted scripts. Medium.4 EMAIL SECURITY 347 Figure 9-20 Automatic Picture Download Settings dialog box. Every computer should have virus protection installed. The mail relay will usually sit in the perimeter network. ▲ Buffer against attacks. and questionable attachments. this would be a computer that has little or no personal and sensitive data. If possible. risky email should be read on computers that can better afford to be attacked. Generally. ▲ Use a mail relay or mail proxy.5 Architectural Considerations A number of system. such as blacklist monitoring and spam filtering.and network-related architectural considerations ensure safe use of email: ▲ Check for viruses. Mail relays are also a good place to put spam protection. 9.4.

Some mail clients will provide collaboration capability and run scripts automatically. Usually.348 PROTECTING AGAINST MALWARE Figure 9-21 Outlook security settings. To minimize the impact when that happens. . ▲ Back up frequently. this feature can be disabled to reduce the risk of worm and virus attacks. Even the best security measures will occasionally fail to stop a new and emerging threat. be expected that a computer that is buffering this way might have to be rebuilt every 3 to 6 months. although the typical home user might get by with backing up once a week or once a month. The frequency of backups depends on the level of critical data involved. A book author will back up a few times a day. ▲ Control scripting capabilities. backups should be done frequently.

It does not need to be a member of the Active Directory domain because it can receive encrypted directory data through Active Directory Application Mode (ADAM). an organization can benefit from quarantining attachments. The Edge Transport role is meant to be assigned to a dedicated server on the perimeter network. If the user needs the attachment and can verify that it has been sent by a legitimate sender. Compare blacklisting and spam filtering. content file.4 EMAIL SECURITY 349 FOR EXAMPLE Microsoft Exchange 2007 In response to the increasing prevalence of spam. The Outlook postmark is a puzzle of varying complexity that is attached to the email. One such enhancement is the Edge Transport server role in Microsoft Exchange 2007. and malware distributed through email. Compare ARP spoofing and replay attacks. they will have all the privileges and access that the user enjoys. and an Outlook postmark. 2. it can perform spam filtering based on the sender’s reputation and usage patterns. When a server is installed as an Edge Transport server. A mail relay or mail proxy strips attachments off of emails before they are delivered to users. the safe sender lists compiled by users. including examining the contents of a . ▲ Limit attachments. In many cases. it is not safe to allow attachments on email. Attachments can contain scripts and executable code. The Edge Transport server can also implement virus scanning and attachment filtering. phishing schemes. ▲ Quarantine attachments. . allowing the administrator to selectively send them to users or even to convert them to plain text before sending them. software developers are creating solutions that can help protect against email-propagated threats. to determine whether email contains file types that should be filtered.9. the user can recover that attachment. When the user runs these scripts or executables. Unless the user is diligent and fully appreciates the risk. The Edge Transport server can quarantine suspect messages. SELF-CHECK 1.

You also learned how to protect yourself against these threats. and spyware. including viruses. and replay attacks were also covered. worms. man-in-the-middle attacks. Threats. phishing attacks. such as spam. Trojan horses. KEY TERMS Active Directory Application Mode (ADAM) ActiveX ActiveX control Add-on Address Resolution Protocol (ARP) spoofing tool Adware Anti-malware Anti-spyware Antivirus ARP spoof attack Autorun macro Backdoor Blacklist Boot sector virus Browser parasite Compiled Cookie Cyclic redundancy check (CRC) Distributed denial-of-service (DDos) attack Edge Transport Email replay attack Ettercap Host ILOVEYOU virus Internet zone Java Java applets JavaScript Letter salad Local intranet zone Logic bomb Macro Virus Protection Mail proxy Mail relay Malcode Malware Managed computer Melissa Michelangelo Naive Bayes classifier Nonpersistent cookie Nyxem worm Originating domain Outlook postmark Persistent cookie Personal firewall Phishing attack Phishing filter Plug-in Portable Document Format (PDF) Post Office Protocol 3 (POP3) .350 PROTECTING AGAINST MALWARE SUMMARY In this chapter you learned about various types of malware.

KEY TERMS 351 Propagated Quarantining attachments Replay attack Replicate Restricted sites zone Rooted Safe for execution Safe for scripting Scripts Security manager Self-propagation Session cookie Session hijacking Sessionless Simple Mail Transfer Protocol (SMTP) Slag code Spam Spam DoS attack Spam filter Spammer SpyBlast Spyware State Third-party cookie Time bomb Trapdoor Trojan horse Trusted sites zone Virus Virus signature Visual Basic script (VBScript) Web beacon Word salad Worm Zombie .

Which statement best describes the dangers of automatically downloading graphics in an HTML message? (a) The graphics might contain macros that will perform a malicious file? (a) Michelangelo (b) Melissa (c) Nymex worm (d) SpyBlast 3. but it cannot do any actual damage. True or false? 4. Measure your learning by comparing pre-test and post-test results. Which of the following uses the autorun macro to attach itself to the Normal. True or false? 6. An ActiveX control that is marked safe for execution has been certified by Microsoft not to do anything to assess your knowledge of protecting a computer against viruses.352 PROTECTING AGAINST MALWARE ASSESS YOUR UNDERSTANDING Go to www. and other malicious programs. 9. Which of the following is a computer that is centrally configured through an automated policy? (a) managed computer (b) rooted computer (c) host (d) zombie 8.wiley. A logic bomb can be used to launch a DDoS attack. worms. True or false? . (c) The graphics might be Trojan horses. SpyBlast is an effective anti-spyware program. Summary Questions 1. An effective antivirus program with updated signatures is the only protection you need against viruses and worms. True or false? 7. (d) There is no danger involved. (b) The graphics might be web beacons. Which of the following requires a host file to propagate? (a) worm (b) spyware (c) virus (d) logic bomb 2. True or false? 5. A browser parasite is an annoyance.

Which type of attack relies on social engineering techniques? (a) ARP spoofing (b) email replay (c) phishing (d) spam DoS 15. They are currently using their ISP to manage email. What type of cookie sends data to a different website than the one from which it originated? (a) nonpersistent cookie (b) persistent cookie (c) session cookie (d) third-party cookie 12. Code written in JavaScript cannot access any file on the hard disk. True or false? Applying This Chapter 1. A mail proxy should be installed in the perimeter network. Users connect to the Internet using a shared Internet connection . Busicorp is concerned about the possibility of malware propagating through the organization. True or false? 11. What type of attack can be mitigated by using digital signatures? (a) ARP spoofing (b) email replay (c) phishing (d) spam DoS 14. Which Internet Explorer zone contains any computer not included in the other zones? (a) internet (b) local intranet (c) restricted sites (d) trusted sites 13. Which of the following attempts to identify spam by looking at the content of the message? (a) blacklist (b) anti-malware program (c) spam filter (d) web beacon 16.APPLYING THIS CHAPTER 353 10.

You have been asked to devise a plan for mitigating the risk of malware. (b) What questions should you ask the ISP? (c) What additional protections would be offered by an anti-malware program that are not offered by an antivirus program? (d) Why might you want to limit ActiveX controls to only trusted sites? (e) What benefits are provided by issuing digital signatures to be used on email? (f) Why should security awareness training be a necessary part of the plan? (g) Describe how the company could be a victim of a Spam DoS attack.354 PROTECTING AGAINST MALWARE on the company network. (a) Identify the potential sources of viruses. Some users have laptop computers and also connect to the Internet from home or when traveling. . There are three file servers on the network.

You access an online shopping site. The subject of the message is Hello. but they need training. you receive an error that the control is not signed. The email contains a link with a different domain name than your online banking site.YOU TRY IT Recognizing Malware Understanding how to identify a risky download. 5. Think about the following situations and determine whether the action is safe. Users can develop those over time. you have to know yourself. moderately safe or moderately risky. Automated scanners have limitiations—they can only identify known attacks. attachment. You access an online shopping site. before you can train users in what to look for. The message contains an attachment. but you are connecting to the Internet through a dial-up connection until your broadband service is restored. When you click the link. A dialog is displayed that reports that the site’s SSL certificate was not issued by a trusted certificate authority. 7. How risky is it to download the control? You receive an email from your bank asking you to verify your address and phone number. How risky is it to ignore the virus signature update message? An online training website uses a nonpersistent cookie to track your progress in a session. How risky is it to open the attachment? You have antivirus software installed. How risky is it to use your regular email address? 355 . How risky is it to accept the cookie? You are creating a website for your business and need to publish your email address so that customers can contact you. Of course. When you attempt to install it. You have been working with this vendor for a few 4. 6. you are prompted for a username and password. You access a vendor’s website and a yellow bar appears asking you to download an ActiveX control. How risky is it to provide your credit card on this site? 3. or risky. years and have not had a problem. A dialog is displayed that reports the site’s SSL certificate has expired. or phishing email is an essential part of mitigating the threat of malware. How safe is it to enter the information? You receive an email from a former business acquaintance who you haven’t heard from in several years. 1. 8. Explain why. Identifying new or unpublished attacks requires a sharp eye and a keen nose for trouble. How risky is it to provide your credit card on this site? 2.

wiley.10 ONGOING SECURITY MANAGEMENT Starting Point Go to www. What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Configuration management Importance of keeping computers up-to-date Windows Update Software Update Services (SUS) Systems Management Server (SMS) Auditing In-bound remote management Out-of-bound remote management After Studying This Chapter. Determine where you need to concentrate your effort. You’ll Be Able To ▲ ▲ ▲ ▲ ▲ Design a configuration management policy Choose a method of keeping Windows® computers up-to-date Implement auditing Choose an in-bound remote management method Choose an out-of-bound remote management method .com/college/cole to assess your knowledge of ongoing security management.

In this section.1. 10. we will show you the different tools that you can use to solve your security update woes. This chapter examines three areas you must consider to keep your network operating securely. Finally. configuration management might prevent an older version of a system from being activated as the production system. as well as the benefits and drawbacks of each potential solution. or any other changes affecting security. It involves identifying. including hardware and software changes. controlling. The chapter begins by looking at the importance of keeping your computers up-to-date with the latest security patches. Now begins the day-to-day work of ensuring your network stays operational and secure. it is important to remain vigilant in keeping your network up-to-date against the latest security threats. your job has really just begun. Therefore. In 2007.1 Configuration Management Configuration management is the process of tracking and approving changes to a system. networking changes. There is much more to updating the security of your infrastructure than just applying new patches.1 MANAGING UPDATES 357 INTRODUCTION After you have designed and implemented security policies on your network. Next. In addition to applying security-related patches. first we’ll look at configuration management in general terms. . the chapter discusses ways to audit your network to verify that attacks are not occurring. However.10. Configuration management also makes it possible to accurately roll back to a previous version of a system in case a new system fails or you discover that it has a vulnerability not present in the previous version. For example. you will need to make configuration changes as new information and attacks become known or as new services or applications are installed.1 Managing Updates Attackers are constantly searching for ways to exploit systems. a study conducted by Michel Cukier from the University of Maryland revealed that a computer on the Internet is hacked every 39 seconds. Our focus will be on the tools provided for updating the computers in a Windows network. The primary security goal of configuration management is to ensure that changes to the system do not unintentionally diminish security. 10. the chapter examines how to set up a secure infrastructure to allow you to manage your servers remotely. Another goal of configuration management is to ensure that system changes are reflected in current documentation to help mitigate the impact that a change might have on the security of other systems. and auditing all changes made to the system.

▲ To ensure that the change is implemented in such a way that disruption to the business is minimal. information capture. 5. Primary Functions of Configuration Management The primary functions of configuration management or change control are ▲ To ensure that the change is thoroughly tested before being implemented. version control. 4. ▲ To analyze the effect of the change on the system after implementation. and an organizational framework to support these activities. quality control. such as those who are affected by the change and those who need to document the change.358 ONGOING SECURITY MANAGEMENT Configuration management requires the following tasks: ▲ Identify and document the functional and physical characteristics of each configuration item for the system.1. The change control process generally consists of five tasks: 1. ▲ Record and report the implementation status for each change. Configuration management involves process monitoring. Proposing a change. Scheduling the change. Reporting the change to the appropriate parties. ▲ To reduce the negative impact that the change might have had on the computing services and resources. ▲ To ensure that users are informed of the impending change. 2. Implementing the change. bookkeeping.2 Understanding the Components of Configuration Management The five major components of configuration management and their functions are as follows: ▲ Configuration identification ▲ Configuration control ▲ Configuration status accounting . 10. ▲ Manage all changes to these characteristics. 3. Cataloging the intended change.

and supervise other tasks such as documentation. manageable. in general. Configuration Identification Configuration management entails decomposing a system’s configuration into identifiable. . and trackable units known as configuration items (CIs). monitoring. and approving system changes and their implementation. It involves periodic checks to determine the consistency and completeness of accounting information and to verify that all configuration management policies are being followed. type. Configuration control should be directed by personnel who coordinate analytical tasks. Configuration Control Configuration control is a means of ensuring that all system changes are approved before being implemented and that the implementation is complete and accurate. Configuration accounting also tracks the status of current changes as they move through the configuration control process. review the implementation of changes. A good strategy is to designate relatively large CIs for elements that are not expected to change over the life of the system. and small CIs for elements likely to change more frequently. the ability to create CIs of various sizes can have great practical importance. The decomposition process is called configuration identification. A CI is a uniquely identifiable subset of the system that represents the smallest portion to be subject to independent configuration control procedures. and complexity. It allows managers to trace system changes and to establish the history of any problems and associated fixes. approve system changes. CIs can vary widely in size.10. Configuration Auditing Configuration auditing is the quality assurance component of configuration management. This activity involves strict procedures for proposing. Configuration Status Accounting Configuration status accounting documents the status of configuration control activities and. Although no hard-andfast rules exist for decomposition. understandable. provides the information needed to manage a configuration effectively.1 MANAGING UPDATES 359 ▲ Configuration auditing ▲ Documentation control Let’s look at each of these components.

those updates are useless unless they are applied. Will you visit each user’s computer to ensure the patch is applied? Will you send an email to users and trust them to download and apply the patch? One way to help prevent your systems from becoming out-of-date and to automate the effort of applying patches is to create a security update infrastructure that automates the deployment of patches throughout the organization.4 Creating a Security Update Infrastructure To create a security update infrastructure. configuration changes. Facility environment changes. However. . Changes to the disaster recovery or business continuity plans. Table 10-1 lists the different methods of updating computers in a Windows network. 10. When deciding which security update method to use. it is easy to forget to do so or to put it off because you have so many other things to do. operating system and application vendors release security updates (one type of patch) that remove those vulnerabilities. Such changes could include the following: ▲ ▲ ▲ ▲ Changes to the system infrastructure. ventilation. The solution you devise will depend on the automatic update methods supported by the operating systems and applications you must update. It’s important to update all relevant documentation when system changes occur.3 Importance of Automating Updates As new vulnerabilities are discovered. For our discussion. and air conditioning) and electrical changes.360 ONGOING SECURITY MANAGEMENT Documentation Control Documentation control is a cornerstone of configuration management. as far as security updates go. Although you can (and should) periodically check informational sites to see what new vulnerabilities have been reported and check vendor sites for information about security patches and new threats. you should consider how many client computers need to be updated. The Microsoft Windows Update website is useful when only a small number of computer systems require updating because it requires each computer to download updates. which can really use up bandwidth on even a medium-sized network. 10. including the operating system that the method supports and whether or not it supports software patches. And even if you read about a patch. Unfortunately. Changes to security policies or procedures. no single solution solves all of the problems. you must be able to determine what needs to be updated and how the updates will be accomplished.1. such as office moves or HVAC (heating. there’s still the issue of deploying it.1. we’ll focus on the methods available for updating computers in a Windows network. or both.

where an administrator can test the update to see if it is compatible with the configuration and applications that are currently running in the network environment. Windows 98 and Windows NT® 4. It includes a Microsoft Management Console (MMC) snap-in instead of a web-based management interface. The updates can be synchronized from the Microsoft Windows Update website and saved to an SUS server. The client computers.1 MANAGING UPDATES 361 Table 10-1: Methods of Updating a Windows Network Update Method Windows Update Description Operating Systems Supported Windows 98 and higher The Microsoft Windows Update website is a wonderful utility for keeping individual computers and the computers for a small business up-to-date. Unlike SUS. and managing assets. Software Update Services (SUS) Windows 2000 and higher Windows Server Update Services (WSUS) Windows 2000 Service Pack 4 and higher Systems Microsoft SMS 2003 is a comprehensive change Management management and configuration solution. and Microsoft SQL Server. It can also be used to deploy updates for Microsoft Exchange. for Windows XP Service Pack 1 and higher. Microsoft Office. It is Server (SMS) capable of deploying applications. running the Automatic Updates component. managing security and software patches.0 is the newest version of SUS. Microsoft SUS gives an administrator the ability to selectively deploy updates and services packs. Windows Defender.0 and higher . and a number of other products. Windows Update allows users to update their own systems or. will download only approved updates from the SUS server and apply them.10. SMS 2003 is not free and requires SQL Server. to configure updates to be downloaded and installed automatically using Automatic Updates. WSUS 3.

you should never update servers directly from the Windows Update website because you should test patches before installing them on servers. most servers should not be updated automatically because some updates cause a reboot.1. This design is illustrated in Figure 10-1. you had to deploy a different SUS server for each computer configuration that might need a different set of updates.5 A WSUS Solution There are two parts to the WSUS solution: ▲ The server (or servers) running WSUS and that downloads updates from the Microsoft Windows Update servers or from other internal WSUS servers. Before applying the updates. In most cases. With WSUS. 10. Microsoft SMS 2003 can be used to update a practically limitless number of client computers. especially mission-critical servers. With SUS.000 client computers. WSUS will check the digital signature to make sure that it bears Microsoft’s signature. The remainder of this section will focus on WSUS. For example. but most of the same considerations would apply to SUS. it will not be applied. 10. this is no longer a requirement because you can create groups of computers on the WSUS server or through Group Policy.6 Configuring SUS Clients You will also need to configure the Automatic Updates client on the computers in your organization to look to their respective WSUS server to retrieve and apply .362 ONGOING SECURITY MANAGEMENT An SUS or WSUS server can update a relatively small number of client computers or several thousand. deploy. Each WSUS server can handle updating about 15. You can still make sure that only one of the WSUS servers in your hierarchy retrieves the updates from Microsoft and then configure the other WSUS servers to download the updates from the WSUS server that receives the updates directly from Microsoft. you should add additional WSUS servers as needed.1. It is usually reserved for the larger enterprise organizations because it is expensive and requires its own administrative staff to configure. If the update package is not signed. ▲ The Automatic Updates client that downloads the updates from an SUS server in your network. WSUS has the added advantage of updating some applications. and manage its infrastructure. a configuration made up of both WSUS and Group Policy will solve most update and configuration management issues. There will also be some situations in which Automatic Updates is not the best solution. One reason you might need multiple WSUS servers is to support multiple geographic locations. Also.

. You might want to apply a different schedule to various organizational units (OUs) to distribute the load on the WSUS server across time.1 MANAGING UPDATES 363 Figure 10-1 Client WSUS1 WSUS1 Client STL SJO Windows Update Web Site Internet WSUS hierarchy.” The Configure Automatic Updates Properties dialog box is shown in Figure 10-2. Using Group Policy Objects to Configure SUS Clients The recommended method of configuring WSUS clients is to use Group Policy. Here you can enable Automatic Updates and set the appropriate schedule for the client computers to check for updates. Windows Update settings are configured under Computer Configuration | Administrative Templates | Windows Components | Windows Update. Group Policy allows an administrator to configure a policy once and have it be applied consistently throughout the directory. right-click “Administrative Templates” and select “Add/Remove Templates” and add “wuau. In the following sections. As is the case with any other configuration options being set in a Group Policy Object (GPO).10. If you do not have the Windows Update section under the Windows Components container. we will look at the different techniques that you can use to configure a computer to use your WSUS infrastructure. the updates.adm.

as shown in Figure 10-3. You will also need to enable and configure the Specify intranet Microsoft update service location policy to point to the WSUS server. you can configure the settings manually on the client using any one of the following techniques: ▲ Use the Local Security Policy on each workstation. The steps are identical to when configuring a GPO.364 ONGOING SECURITY MANAGEMENT Figure 10-2 The Configure Automatic Updates Properties dialog box. but applied only to the computer that you configure it on. . Manually Configuring SUS Clients In addition to using a GPO.

All servers are running Windows Server 2003. The company has two domain controllers at each location. There are over 1000 client computers at each location.1 MANAGING UPDATES 365 Figure 10-3 Specify intranet Microsoft update service location Properties dialog box. a Microsoft Exchange 2003 server at each location. FOR EXAMPLE Designing a Software Update Infrastructure Busicorp has four locations. There are between 50 and 100 application (Continued) . Most of the IT staff is located in Chicago. and a computer running Microsoft SQL Server 2005 in Chicago and Detroit.10. All client computers are running Windows XP Professional with Service Pack 2. All client computers run Microsoft Office XP.

Microsoft SQL Server 2005. and Microsoft Office XP from the Windows Update website. You also create GPOs to deploy software not supported by WSUS to the developers’ computers and to manually monitor these applications for security patches. . and Macromedia® Flash®. Java™. You configure the one in Chicago to download updates for Windows Server 2003. as seen in Figure 10-4. but they do not want to invest more money than necessary. As you can see. You use Group Policy to configure automatic update policies for clients using WSUS groups. You configure the WSUS servers at the other offices to download updates from the WSUS server in Chicago. Developers use Visual Studio® . You will want to make sure that your OU structure is designed in such a way that software updates and patches can be deployed with a minimum of administrative effort. Microsoft Exchange 2003.NET. Busicorp wants to ensure that applications and operating systems are kept up-to-date. Some application developers run SQL Server 2005. They also want to ensure that only tested patches are applied to client computers. Windows XP Professional. Figure 10-4 The Automatic Updates tab in the System Properties Control Panel.366 ONGOING SECURITY MANAGEMENT developers at each location. ▲ Manually modify the Registry on each client. ▲ Use the Automatic Updates tab of the System Properties Control Panel applet. You install a WSUS server at each office. the only realistic option is to use a GPO when there are a moderate or large number of client computers involved.

reliable.2 AUDITING AND LOGGING 367 SELF-CHECK 1. and useful evidence to achieve the audit objectives effectively.10. in an appropriate form. and recommend improvements to safeguards and controls.2 Auditing and Logging Auditing and monitoring procedures for networks are used to ensure that security controls are operating and providing effective protection for the information systems. ▲ The information systems auditor provides a report. Internal auditors normally evaluate security practices and compliance with standards. The following are examples of some of the guidelines: ▲ The audit function must be sufficiently independent of the area being audited to permit objective completion of the audit. relevant. Identify two ways in which WSUS is an improvement over SUS. Third-party auditors are usually certified professionals such as Certified Information Systems Auditors (CISAs).2.1 Security Audits An audit is conducted by either a group internal to an organization or by thirdparty auditors. and auditing or monitoring refers to an ongoing activity that examines either the system or the users. audit trails. ▲ The information systems auditor must adhere to the Code of Professional Ethics of the ISACA. and other procedures related to the business and its assets. Identify and describe the components of a change control process. 2. . 10. to the intended recipients upon the completion of the audit work. ▲ During the course of the audit. the information systems auditor obtains sufficient. An audit is a one-time or periodic event to evaluate security. Standards The Information Systems Audit and Control Association (ISACA) has developed standards and guidelines for auditing IT systems. development standards. 10. ▲ The information systems auditor must maintain technical competence through the appropriate continuing professional education. Auditors evaluate contingency plans.

10. clipping levels can detect excessive numbers of personnel with unrestricted access to the system. recording results of intrusions. personnel exceeding their authorization privileges. process that identifies and reports security events that might be harmful to the network and its components. and repetitive mistakes. By using threshold or clipping levels. in general. including scanners. audit logs should be protected at the highest level of security in the information system. Monitoring responsibility in an organization usually falls under the CIO or equivalent officer. These log files are as follows: . Unauthorized privileges granted to users. Intrusion detection (ID) is applied to detect and analyze intrusion attempts. inventories of network devices. the amount of information that has to be analyzed can be reduced significantly. Violation analysis uses clipping levels to detect potentially harmful events. protocol analyzers (packet sniffers). Examples of such potentially harmful events or situations include unauthorized network devices. penetration testing. A detailed discussion of intrusion detection systems is beyond the scope of this chapter. Penetration testing employs many of the same tools used by attackers. Occurrences of intrusions and their resulting consequences. summarizing the history of activities that took place on a system. and violation processing are used to accomplish monitoring. LAN protocols. Penetration testing probes and tests a network’s defenses to determine the state of an organization’s information security. 10. They are used for tracing sources of intrusions. and social engineering to determine the security status of the organization. For example. Because of their importance. An audit trail associated with information system security might record the following: ▲ ▲ ▲ ▲ Internal and external attempts to gain unauthorized access to a system.2.3 Auditing on Unix ® Some security-relevant events are recorded automatically in Unix or Linux log files. Examples of items monitored include LAN and Internet traffic. and.2.2 Monitoring Monitoring is an active. Intrusion detection mechanisms. Patterns and history of access. and operating system security functions. sometimes real-time.368 ONGOING SECURITY MANAGEMENT Audit trails (also called audit logs or event logs) are logs of events that provide a history of occurrences in the IT system. below which activities are deemed benign. war dialers (equipment that looks for an unauthorized remote access server). and unprotected sharing of resources. unauthorized personal servers.

such as user rights assignments.2 AUDITING AND LOGGING 369 ▲ /usr/adm/lastlog: The lastlog command records the last time a user has logged in. ▲ var/adm/acct: The acct command records all executed commands. To prevent this file from taking over all available memory. ▲ /var/adm/utmp: The utmp command records accounting information used by the who command. ▲ Audit object access: audits file system or printer object access. ▲ /var/adm/wtmp: The wtmp command records every time a user logs in or logs out. file. or modify a user account. failed. the log entries should also include the real UID of the process.2. This event occurs on the computer that is authenticating the user. How is auditing then affected by set userID (SUID) programs? Such a program runs with the UID of its owner. . ▲ Audit policy change: audits changes to security policy. or both successful and failed attempts are audited. 10. this information can be displayed with the last command. turned on by the accton command. ▲ Audit logon events: audits attempts to log on interactively to a computer.10. auditing policies. can also be used for auditing purposes. and printer has an SACL that defines what types of access attempts should be audited. delete. Each directory. are as follows: ▲ Audit account logon events: audits attempts to authenticate. Kerberos policies. The precise name and location of these files might be different depending on the flavor of Unix or Linux you are running. Audit policies can be configured so that successful. and IPsec agent events. Most of these events refer to a user. this information can be displayed with the finger command. shown in Figure 10-5. The audit policies. not with the UID of the user running the program. Accounting.4 Auditing in Windows You can enable auditing on a Windows 2000 (or later) computer through Local Security Policy or Group Policy. Hence. trust relationships. so the log entry should include the user identity (UID) of the process causing the event. this information can be displayed with the lastcomm command. ▲ Audit account management: audits attempts to create. ▲ Audit privilege use: audits attempts to exercise a user right. ▲ Audit directory service access: audits specific types of directory service access. Each Active Directory® object has a security access control list (SACL) that defines which types of access are audited for that object. it can be pruned automatically at regular intervals.

startups. By default. changing the system time. One way to do this is by deleting the audit trail. You should think long and hard about extending these rights to any other users or groups. clearing the audit log. It is essential to keep the audit files on each computer secure so that an attacker does not have an easy way to delete or modify them. including each time a program is started or a user tries to install a service or create a task scheduler job. only Administrators have the right to manage the security log and only the Local System and Network Service built-in accounts have the right to generate security audits. ▲ Audit process tracking: audits detailed events about activities in the system. Enabling this audit policy can result in a large number of events being written to the Security log. a professional hacker will try not to leave behind evidence. ▲ Audit system events: audits shutdowns. the right to manage the security log and to generate security audits is managed through User Rights Assignment. FOR EXAMPLE A Hacker Doesn’t Leave Breadcrumbs Although a script kiddie might not think to delete the evidence of an attack. and other operating system security events. .370 ONGOING SECURITY MANAGEMENT Figure 10-5 Audit Policy node. On a Windows 2000 (or later) computer.

you might not have access to the server room where . You can view audited events through the Security log in Event Viewer. SELF-CHECK 1. Identify the Windows audit policy that tracks each time a system is restarted.3 SECURE REMOTE ADMINISTRATION 371 Figure 10-6 Security log. The most secure way to manage a server is by sitting down at the console and keyboard and logging in to it. as shown in Figure 10-6. but these tools can put your network at risk for attack. especially if you need to be able to manage one or more computers remotely. 2.10.3 Secure Remote Administration A network needs constant maintenance and administration to keep it running successfully. For example. You will need to use tools to manage the network. 10. But there will be times when this is inconvenient or impossible. Identify the Unix log file that stores information about each time a user logs on and logs off.

or your computers might be hosted by a remote company like an Internet service provider (ISP) or an offsite data center. suppose your company’s security policy requires that data on sensitive database servers be protected by an expensive authentication and data encryption system if the servers are to be remotely accessed. ▲ Increased availability of servers. Some benefits of remote management include the following: ▲ Reduced total cost of ownership. who will administer them. 2. Evaluate remote management needs. you will learn about the security risks associated with managing the network remotely. You should use the following steps to develop the remote management plan: 1. Determine the tools and hardware needed to meet your remote management needs. Plan remote management deployment. You need to consider the cost savings. Evaluating Remote Management Needs When developing your remote management plan. convenience. whether they need to be managed locally or remotely. You might find that the cost of remote management within the security guidelines outweighs the benefits of remote management. The system might . You will need to decide whether you will allow remote administration of each server and the extent to which you will need to remotely manage the network. and the requirements for security on the servers. 3. the location of the servers in your organization. In this section. ▲ Increased convenience and productivity of administrators. 10. the first thing you need to do is determine which servers you will manage remotely. 4. Design the hardware and software configuration. twenty-four hours a day. and availability requirements and weigh them against the company’s security policy requirements. For example.3. Your remote management plan will help you understand what type of management each server needs. you might be required to have access to the system seven days a week. Configure the network infrastructure to accommodate remote management.372 ONGOING SECURITY MANAGEMENT the equipment is housed. You will also learn about various tools that can be used for remote network management.1 Creating a Remote Management Plan A remote management plan ensures that the proper tools and configuration you choose for managing your servers are in line with your security policy and infrastructure. 5.

For example. Threats of Remote Management Remote management introduces new threats to your servers. ▲ Security holes in remote administration tools or services that are not patched or kept up-to-date. Determining the Tools and Hardware Needs Remote management tools make it possible to perform any management action on the server remotely except for hardware installation. or Secure Sockets Layer). you will need to locally manage a server only for hardware upgrades and maintenance. When you remotely manage a server. You also need to decide whether you need to allow remote administration from the internal network only or from an external network as well. Some inband remote management can be used only on a Windows server. Remotely managing computers will potentially allow sensitive information to be transmitted across the network.3 SECURE REMOTE ADMINISTRATION 373 contain per-server and yearly subscription fees that make remote administration more expensive than just using local administration of the server as the only administrative option. In-band remote management tools are tools that you use to manage a server that is functioning correctly and can communicate with the network. you need to consider additional security measures. Using out-ofband management tools combined with the appropriate hardware. you might need to allow an administrator to connect to a server from home. You must ensure that the management tool provides the necessary means to prevent eavesdropping of the data it sends. Others can be used on servers running various network operating systems. If you need to provide access from an external network. This could be because the server is hung up or a network device has stopped functioning. This connection can be established remotely through specialized hardware or a dial-up connection. . Out-of-band connections usually involve using the serial port on the server to administer the server. Out-of-band remote management tools are used if the server is not responding to standard network communications. In-band remote management tools are discussed a little later in the section. or you must provide this service yourself (usually through VPN.10. or dial-up connection. ▲ Sensitive data sent across the network. You can take advantage of in-band and out-of-band remote management tools. determine whether remote administration will be permitted through a virtual private network (VPN). Hypertext Transfer Protocol (HTTP). if you need around-the-clock uptime. IPsec. Some of the threats posed by remote management include the following: ▲ Increased attack surface because attackers can use the tools to gain access.

especially in the case of out-of-band remote management.3. ▲ Encryption: Information sent over the network because of remote management needs to be confidential. ▲ Auditing: All access due to remote administration should be logged in a secure fashion. In general. ▲ Physical security: The hardware should be physically secure. ▲ Changes that will need to be made to firewall configurations. so that only the appropriate administrators can access them.374 ONGOING SECURITY MANAGEMENT Out-of-band management services in Windows Server 2003 are provided by the Emergency Management Services (EMS). To effectively use EMS. You will also need to design the appropriate rights and folder permissions to protect the remote management tools. With in-band remote management. ▲ Changes to IP packet filtering settings to support remote management. the type of connection you choose will determine whether you need additional security . ▲ Machine authentication: The server should allow remote management from only the appropriate computer. you might need to purchase additional hardware and you’ll need to weigh the cost of additional hardware with the benefit of the service. Configuring the Network for Remote Administration Configuration changes must be made to the network infrastructure to support remote administration. There are a few things to consider: ▲ Types of connection. so you will need to plan for the physical security of the serial connections required. The type of connection you use will depend on which type of connection will support the remote management tool you are using. You will also need to consider the impact of inband remote management on your firewall configuration. Out-of-band communication cannot be secured using operating system security features. Beyond that. you must pay attention to requirements of how the administrators will authenticate to the server and mechanisms for encrypting communications with the server. Computers can be authenticated using IP address restrictions or (preferably) computer certificates. your security strategy for remote management should include the following: ▲ User authentication: The server should allow remote management only by the appropriate administrator.2 Remote Management Security Considerations It’s important to secure the hardware and software used for remote management. 10.

Using a Secondary Network for Remote Management One way to increase remote management security is to establish a secondary network specifically designed for remote management traffic. and the security settings of your servers for remote administration. you should test the design in a lab setting that simulates your production environment.3. If you need to manage a server through a firewall.10. 22 for Secure Shell (SSH). You should also verify network connectivity. . ▲ Configure and test the dial-up settings over a VPN connection if you plan to support secure remote management through dial-up. You will also need to consider any IP packet filtering you might be doing on the firewall. This is useful for controlling the applications that can communicate with the server or through a router or firewall. along with having the correct user and machine credentials and user rights. and 443 for HTTPS (HTTP over SSL). 80 for HTTP. IP packet filtering allows you to control which packets can pass through a network device. 23 for Telnet. You will need to verify that you can connect to network resources for the required remote management tools. you must determine the port numbers used by the management tool. security. or servers. and availability of your remote management solution by separating the traffic for remote management to its own network. 10. If it will not.3 Planning Remote Management Deployment After you have designed security for remote management. The following is a list of some of the things you should configure and test according to your design: ▲ Configure and test a secondary network for remote management if one is included in your design.3 SECURE REMOTE ADMINISTRATION 375 in terms of establishing a VPN connection first to encrypt the traffic that passes over the connection. in which case you should look for an alternative tool to manage the server. You might determine that it is not. you should decide whether the risk of opening the ports is worth the benefits of using the management tool through the firewall. A secondary network can improve the performance. 135 for remote procedure call (RPC). hardware and software configurations. you should verify the firewall settings to determine if the management tool can work through the firewall. Some common ports for management tools include 3389 for the Remote Desktop Protocol (RDP). accessed using a secure router. After you identify the ports required for the remote management tool. routers. You might need to reconfigure these settings for the remote management tool to work properly. Administrators would be allowed to remotely administer computers only if they had access to this network. You will need to verify that your configuration is secure and meets the organization’s needs for remote management.

3. ▲ Verify any Group Policy settings that you are using to manage the security settings of your servers. 10. particularly your out-of-band hardware configuration and auditing settings. You will need to verify the security settings that you have configured for remote administration. ▲ Verify the shared folder and NT File System (NTFS) permissions for your remote management plan. ▲ Verify that the security groups and user rights assigned to perform administration of servers only permit the necessary remote management tasks. Verify the hardware and software configurations in your design. ▲ Verify that the proper encryption protocols are being used with your design. Configure auditing and verify that it collects the information that you need. Verify any additional software or hardware settings that your design calls for. you will need to choose the tool or tools you will use. Install and test EMS. ▲ Configure and test the IPsec and SSL settings to the servers if you plan to use IPsec or SSL to encrypt remote management traffic. ▲ Configure and test the IP packet filter settings if you have configured the servers or routers to filter for specific applications. ▲ Verify that you can accomplish your remote management needs through the chosen tools. Verify that the traffic is encrypted using a network monitoring utility.4 Securing Windows Inbound Management Tools If your remote management plan calls for inbound remote management. ▲ Verify that physical security is adequate for the servers and out-of-band remote management components. we examine several . In this section. The following is a list of some of the items that you will need to do: ▲ ▲ ▲ ▲ Verify out-of-band remote management configuration and hardware settings.376 ONGOING SECURITY MANAGEMENT ▲ Configure and test the firewall settings if you will use remote management tools through the firewall. including control of remote management. You should verify the following settings for your remote management configuration if they are applicable: ▲ Verify the authentication protocols used to access the server remotely.

Figure 10-7 Selecting the computer you want to manage.3 SECURE REMOTE ADMINISTRATION 377 management tools that can be used for inbound remote management on a Windows network and the security implications of each.10. Not all snap-ins support remote management. MMC can be used to manage a local server or a remote server by adding snap-ins. It provides administrators with a standard environment from which they can manage their servers and network. you need to determine how to encrypt its network traffic or not use it for remote management. You will need to determine whether the snap-in supports the following security options: ▲ Encryption capabilities: Does the snap-in support encryption internally and what strength is the encryption? If it does not support encryption. MMC is really a framework to host various management tools. You will need to verify the remote management capabilities and the security features of the snap-ins you want to use for remote management. Figure 10-7 shows the dialog box for Computer Management that allows you to select to manage the local computer or a computer on the network. . Using MMC MMC is the standard administrative tool in Windows Server 2003.

You could use the tool over a VPN connection to prevent needing to open the port. and mouse motions are sent over the network to and from the client. DCOM authentication is integrated into Windows and supports NT LAN Manager and Kerberos authentication. All application processing happens on the server—just the display. so it would be difficult to differentiate between programs). but generally you will be using TCP/IP. like smart card authentication? ▲ Network communications technology: What protocols does the snap-in support for network communication? Since most snap-ins will support TCP\IP. your security administrator might not allow you to use the tool directly through the firewall. Due to the danger to your network of these ports being opened (all RPC traffic uses these ports. you should determine the ports that it uses for communication in case you will need to manage a server through a secured router or firewall. Because DCOM uses RPCs. it can support various network protocols. ▲ Authentication capabilities: Are passwords encrypted or passed as clear text? What authentication protocols can be used? Does the snap-in support integration with Windows authentication or do you have to manage a separate password database and policies for the application? Does the management tool support two-factor authentication. DCOM uses remote procedure calls (RPCs) to communicate between the client and server. The Remote Desktop does all of this . This encryption supports the RC4 public key encryption algorithm with a symmetric key strength of up to 128 bits. DCOM supports encryption by using the Packet Privacy option in the dcomcnfg tool used to configure DCOM. The TCP port 135 and UDP port 135 used for RPCs would need to be opened on the firewall if you will be using the tool through a firewall. DCOM also supports the use of other algorithms implemented through the cryptoAPIs of Windows.378 ONGOING SECURITY MANAGEMENT FOR EXAMPLE Using Snap-ins that Support DCOM Many snap-ins use Distributed Component Object Model (DCOM). keyboard commands. Using Remote Desktop for Administration Remote Desktop for Administration (Remote Desktop for short) provides a graphical user interface (GUI) to remote computers over local area networks (LANs) and wide area networks (WANs).

you might . You can configure RDP by navigating to Administrative Tools and clicking the Terminal Services Configuration utility. Remote Desktop for Administration requires 128-bit encryption for the connection. Remote Desktop for Administration was known as Terminal Services in Windows 2000. as shown in Figure 10-9. For example.3 SECURE REMOTE ADMINISTRATION 379 through the Remote Desktop Protocol (RDP).10. Remote Desktop provides the following features for administering servers equipped with Windows Server 2003 and Windows 2000 Server: ▲ ▲ ▲ ▲ Remote reboots of servers. you will be warned that any accounts that do not have a password will not be able to create a Remote Desktop session with the server. ▲ Local printing. but it is disabled. Support for 2 remote administrators sharing remote sessions for collaboration. When you enable Remote Desktop. and serial device redirection. You have the option of connecting through the Remote Desktop client in Windows or through the web version of the Remote Desktop. You would need to install Internet Information Services (IIS) on each server that you want to support web-based Remote Desktop connections. Remote Desktop for Administration is installed on a Windows Server 2003 computer by default. It is recommended that you use the highest possible encryption for remote management tools. Encryption of up to 128 bits in strength. If you have an older version of the Terminal Services client. programs will continue to run.” On the General tab. Only change this option if it is necessary to support an older client that cannot be updated. so you should leave the RDP protocol setting set to “High” and upgrade the client tools if possible. ▲ Roaming disconnect support. Expand the Connections folder and then right-click the RDP-TCP protocol and select “Properties. you will not be able to connect to a Windows Server 2003 computer with the default settings for RDP. as shown in Figure 10-10. By default. which will prevent interrupted installs or long-running tasks. clipboard mapping. Using Remote Desktop has become one of the most popular ways to remotely manage Windows servers on a network. This is supported by the Remote Desktop client in Windows XP and Windows Server 2003. Support for low-bandwidth connections. which means that if your connection is disconnected. select the Client Compatible option to support clients that do not support 128-bit encryption. which provides an ActiveX® control that will allow you to connect over an HTTP connection. ▲ Support for smart card redirection (only supported in Windows 2003). You enable it through the Remote tab of System properties (see Figure 10-8) or through Group Policy.

Whenever you connect to the console session. Using the console session is the same as if you were physically sitting in front of the server. This means that you can view all messages and use applications that only work with the console session. You can connect to the console session by launching the mstsc.exe (Remote Desktop client) with the /console switch or by launching the Remote Desktop MMC snap-in and choosing to connect to the console.380 ONGOING SECURITY MANAGEMENT Figure 10-8 Enabling Remote Desktop. You also will need to consider allowing administrators to connect to the console session of the Windows Server 2003 computer. the physical console will lock for security so that . have a Remote Desktop client that runs on a Linux workstation or a Windows CE device that does not support 128-bit encryption and cannot be upgraded.

It is used primarily by help desk staff to help users solve their problems. both users will see the same screen and can chat with each other through the Remote Assistance chat program. like Remote Desktop. You can even allow the remote user to take control of your computer.10.3 SECURE REMOTE ADMINISTRATION 381 Figure 10-9 Remote Sessions warning. When a Remote Assistance session is established. Using Remote Assistance Remote Assistance was designed to allow someone to connect to a Windows computer to provide assistance. an online conferencing application. Figure 10-10 Setting the RDP protocol encryption level. but is based on the technologies and protocols of Microsoft NetMeeting®. Remote Assistance does not use the RDP protocol. . nobody can watch what the remote administrator is doing by physically sitting at the console.

You would then type the following to connect to the remote server running Telnet: open server_name You can then issue commands that run on the server. you should use SSH as an alternative to Telnet.382 ONGOING SECURITY MANAGEMENT Remote Assistance is installed. but disabled. all commands and data are sent over the network without any form of encryption. you can run Telnet by opening the Start menu. Telnet is not a secure management tool and should not be used across an unsecured network. This is similar to the capability provided by Remote Desktop for Administration except that it is command line only. selecting “Run” and typing “telnet” to launch the client. Using Telnet Telnet is a terminal emulation program that runs a command console on the client computer. on Windows XP and Windows Server 2003 computers by default. It requires you to log on using a username and password. such as Telnet or SSH. as shown in Figure 10-11.5 Securing TCP/IP Remote Management Tools If you are managing a non-Windows computer or need to manage a Windows computer from a non-Windows computer. and letters. SSH provides for strong authentication mechanisms. to provide for secure authentication and communications for remote shells and file transfers. You should set a short invitation period for Remote Assistance and use a password that is at least eight characters long and that is a mixture of symbols. Let’s look at each. These tools are supported on any computer that supports TCP/IP. Ltd. like establishing a VPN using L2TP (Layer 2 Tunneling Protocol) and IPSec for providing a stronger means of authentication and encryption of network traffic. numbers. especially over a WAN. One security issue you will need to determine is whether you should change your firewall configuration to support Remote Assistance. if you require Telnet. If this is not possible. The commands you execute do not run on the client but on the server you are connected to.3. . you might need to use a commandline tool. Therefore. Secure Shell (SSH) Secure Shell (SSH) is a technology that was developed by SSH Communications Security. but these are passed in clear text over the network. you will need to implement another means of encryption. On a Windows computer. You should enable it only on clients where it is needed. Authentication is limited to passing the username and password in clear text without support for smart cards or other forms of authentication. Remote Assistance requires that TCP port 3389 be opened on a firewall to pass through it. 10. Also.

6 Designing for EMS EMS is a collection of out-of-band management tools that enable the ability to manage a Windows Server 2003 computer when it is no longer responding to in-band management tools. The following Windows components support outof-band communication: ▲ ▲ ▲ ▲ Recovery Console Remote Installation Services (RIS) Text mode setup Setup loader In addition to the standard Windows components. Using the SAC is the most common way to access the EMS services on a Windows Server 2003 computer. SSH guards against eavesdropping on packets and IP redirection by encrypting the communications between the server and client. including the ability to use certificate-based authentication like smart cards. as shown in Figure 10-12.10. that connects to a serial port on the server.3. You can access EMS through a terminal emulator. SSH is preferred over Telnet for providing remote administration through the command line. 10.3 SECURE REMOTE ADMINISTRATION 383 Figure 10-11 Telnet session. If available. like HyperTerminal. SAC provides you with a command-line environment to manage the server when it is locked up. EMS is made up of standard Windows Server 2003 components that have been modified to redirect their output to the out-of-band communication port in addition to the video card. . EMS includes two remote management consoles: Special Administration Console (SAC) and !Special Administration Console (!SAC).

Generating a stop error so the server dumps memory (writes the contents of memory to a file). you can have access to the SAC. Displaying the list of running processes. if it is enabled on your server. Starting a command prompt in the operating system. Shutting down the server. You can issue commands to the SAC to perform the following administration tasks: ▲ ▲ ▲ ▲ ▲ ▲ ▲ Restarting the server. The SAC will be available as long as the kernel of Windows Server 2003 is running.384 ONGOING SECURITY MANAGEMENT Figure 10-12 Special Administration Console. The SAC provides user mode access (access to commands that run under the context of a user and can access memory available to user processes) through the cmd command. Configuring the IP address on the server. This means you can issue commands early in the boot process because as soon as the kernel is running. which launches a command prompt that you can use to start a command-line in-band management tool like Telnet to make managing the . Killing a process. if possible.

There are four basic designs for laying out your EMS infrastructure: direct serial connection. you are going to connect to a serial connection on the server. ▲ It’s difficult to manage more than a few computers using a direct serial connection. SAC also allows you to view the setup logs generated during the setup process to check on the progress of the setup or to diagnose problems with the setup.10. You will need to make sure that the management computer and the server are physically secure to protect this design. and intelligent uninterruptible power supply (UPS). The !SAC is the fail-safe special management console that will load if the SAC fails to start for some reason. You can press “EscϩTab” to switch to the SAC and view the setup logs during the GUI portion of the setup. The management computer is a computer that is running some kind of terminal emulation software. Restarting the server. The direct serial connection has a number of disadvantages: ▲ Computers need to be close to each other for physical security. ▲ It has the most limited functionality. 2. The main benefit of direct serial connections is that they are easy to set up because they require no additional hardware. This is an automatic process. Generally. If you purchase additional hardware like a service processor (special processor that includes its own power supply and allows access to system management features using Telnet or a web-based interface). The easiest software to use is HyperTerminal because it comes with any Windows operating system. You can establish the connection by using a null modem cable (serial cable that allows two computers to connect to each other through serial ports by reversing the send and receive lines) between the management computer and the server running EMS (see Figure 10-13). You can utilize the EMS services that are built into Windows Server 2003 to provide management of the server if the kernel is running or during loading. but almost any type of terminal emulation software will work.3 SECURE REMOTE ADMINISTRATION 385 server easier. Using a Direct Serial Connection A direct serial connection is the simplest of the out-of-band connections to a server. it only provides two functions: 1. . In fact. The !SAC does not provide all of the same functionality the SAC provides. You can purchase additional hardware to add network support for EMS. You will need to decide how you will connect to the server to support EMS. you can manage the server even if the kernel is not working. Redirecting stop error messages. modem serial connection. terminal concentrator. Let’s take a look at each.

The direct serial connection is a great way to quickly connect a laptop computer to diagnose a server problem. like a hung server.386 ONGOING SECURITY MANAGEMENT Figure 10-13 Server Management Computer Direct serial connection. . Using Modem Serial Connection A modem serial connection is similar to a direct serial connection except that it involves putting a modem between the management computer and the servers. You have two connections to secure: the connection between the management computer and the modem and the connection between the modem and the server. Figure 10-14 Serial Connection Phone Connection Server Modem Management Computer Remote EMS through a modem. you could enable callback features in the modem to allow only connections from known numbers. Figure 10-14 shows how a modem setup would look. Security on the connection between the management computer and the modem is based on security features found in the modem. For example. Security on the serial connection between the modem and the server will need to be physically maintained. The benefits of using a modem for out-of-band communications are as follows: ▲ It’s easy to set up and configure for use because there are no complicated devices to purchase and configure. ▲ The management computer can remotely connect to the server. You would then dial into the modem and use a terminal emulation program.

The following are benefits of using a terminal concentrator: ▲ ▲ ▲ ▲ It It It It supports logical authentication mechanisms. You should include the terminal concentrator in the locked server room with the servers that you will manage through it. The terminal concentrator can then be connected to a network or a modem to provide terminal access to the servers it is connected to.3 SECURE REMOTE ADMINISTRATION 387 There are some disadvantages. Better yet. further protecting the data from eavesdropping and manipulating. ▲ It’s difficult to manage more than a few computers using a modem. This makes it easier to provide out-of-band communication to a larger amount of servers. A terminal concentrator also makes it easier to secure out-of-band communications. can support encryption. The first problem is that the management computer is limited to two to four serial ports and therefore you can have only two to four EMS connections to your servers. The main disadvantage is that you need to purchase additional hardware in the form of terminal concentrators. You usually connect to a terminal concentrator using a command-line terminal emulator like Telnet. The terminal concentrator contains a larger number of serial ports than a server contains and can support a connection to a server for each port it contains. You can manage a larger number of servers and remove the necessity of physically securing the management computer by setting up a terminal concentrator to support a larger number of connections. many concentrators support SSH. SSH also encrypts the traffic between the terminal concentrator and the management computer. You will need to physically secure the terminal concentrator’s connection to the servers. . Using a Terminal Concentrator There are two problems with the direct serial or the modem serial connection to the server. which can provide many options for authentication. The main difference is that the management computer and user can be authenticated by the terminal concentrator. just as you would any other serial connection. supports a larger number of servers for out-of-band management. as follows: ▲ Security features in a modem are limited. including smart card and public key infrastructure (PKI). Figure 10-15 illustrates what a network with a terminal concentrator would look like.10. can support features in firmware like powering on and off the servers. The second problem is that the management computer needs to be physically secured to prevent access to the SAC.

You need to manage and secure an intelligent UPS in the same way that you manage and secure a terminal concentrator. Using an Intelligent UPS You might already have devices that can act as terminal concentrators in the form of an intelligent uninterruptible power supply (intelligent UPS). Having one device that performs two functions could save you the costs of purchasing separate terminal concentrators. but you can remotely control the power to the servers. The intelligent UPS can provide the same features a terminal concentrator provides. This means that not only can you manage the servers. . It can connect using the standard serial connection and it can connect to the server through the AC power line. Physically secure the device in the server room with the servers and then use machine and user authentication to secure the network connection to the UPS. Figure 10-16 shows the configuration using an intelligent UPS. An intelligent UPS can form two connections to the server for use by EMS.388 ONGOING SECURITY MANAGEMENT Figure 10-15 Serial Connection Network Connection Phone Connection Server Management Computer Terminal Concentrator Server Server Modem Management Computer Using a terminal concentrator.

3 SECURE REMOTE ADMINISTRATION 389 Figure 10-16 Serial Connection AC Power Connection Network Connection Server Intelligent UPS Server Management Computer Server Intelligent UPS setup. Their highest level of service offers customers a dedicated server and offers a partial refund for service if the server is down more than 30 minutes. There are currently ten customers who have purchased this level of service. FOR EXAMPLE Ensuring 24x7 Uptime Busicorp hosts web applications for a number of customers. The Busicorp IT department currently has a rotating schedule for being on call. You require them to connect using SSH and authenticate with a smart card. they have had to refund customer money due to the commute time for some IT staff members.10. IT wants to allow out-of-band remote management for these servers. . However. The servers are running Windows Server 2003 and IIS. You decide to purchase a terminal concentrator and allow out-of-bound remote management from a secure management computer on the internal network and from the IT administrators’ laptop computers when they are connected through a modem.

3. including in-band management and out-of-band management. KEY TERMS !Special Administration Console (!SAC) acct command accton command Audit Auditing Audit log Audit trail Automatic Updates Change control Clipping level Configuration auditing Configuration control Configuration identification Configuration item (CI) Configuration management Configuration status accounting dcomcnfg Direct serial connection Distributed Component Object Model (DCOM) Documentation control Dumps memory Emergency Management Services (EMS) Event log . Compare Remote Desktop and Remote Assistance. 2. Identify the four ways to configure an out-of-band remote management solution using EMS. The chapter began with a look at configuration control and creating a security update infrastructure to keep your software up-to-date. You also learned about some ways to configure secure remote management. Next you learned about creating an audit trail to ensure you are notified of attempts to attack a computer. you learned how to ensure that your network remains operational and secure. SUMMARY In this chapter. Compare Telnet and SSH.390 ONGOING SECURITY MANAGEMENT SELF-CHECK 1.

KEY TERMS 391 finger command HyperTerminal In-band remote management Intelligent uninterruptible power supply (intelligent UPS) Intrusion detection (ID) last command lastcomm command lastlog command Management computer Modem serial connection Monitoring NetMeeting Null modem cable Out-of-band remote management Packet Privacy Patch Penetration testing Protocol analyzers Remote Assistance Remote Desktop for Administration Remote Desktop Protocol (RDP) Remote management plan Remote procedure call (RPC) Roaming disconnect support Secondary network Secure Shell (SSH) Security access control list (SACL) Security update Security update infrastructure Service processor Software Update Services (SUS) Special Administration Console (SAC) Systems Management Server (SMS) Telnet Terminal concentrator Terminal emulation Terminal Services User mode access utmp command War dialers who command Windows Server Update Services (WSUS) Windows update wtmp command .

Which port would you need to open in a firewall to allow users to connect to a computer on the other side of the firewall using Remote Desktop? .com/college/cole to assess your knowledge of ongoing security management. True or false? 7.392 ONGOING SECURITY MANAGEMENT ASSESS YOUR UNDERSTANDING Go to www. Summary Questions 1. Which audit policy would you enable to log attempts to change trust relationships on a Windows computer? (a) audit directory service access (b) audit account management (c) audit policy change (d) audit process tracking 6. An out-of-band remote management tool is used when normal network communication cannot be established. Which free software update method can you use to automatically apply only approved updates to computers running Windows Server 2003 and SQL Server 2005? (a) SMS (b) SUS (c) Windows Update (d) WSUS 3. Which command would you use to display the information in the wtmp file on a Linux computer? (a) finger (b) last (c) lastcomm (d) who 5. Which of the following ensures that all system changes are approved before they are implemented? (a) configuration auditing (b) configuration control (c) configuration identification (d) configuration status accounting 2. The only way to configure WSUS clients is through Group Policy. True or false? 4. Measure your learning by comparing pre-test and post-test results.wiley.

You have configured security for a Microsoft Exchange 2003 server and 40 client computers on a network. (a) What aspects of the network are most subject to change? (b) Describe how you would handle security updates on the network. True or false? You connect to a computer using the !SAC management console. (a) 22 (b) 23 (c) 135 (d) 3389 By default. How can you track attempted changes? (e) If the Exchange server fails when you are not at work. However. in the summer. The computers are all members of an Active Directory® domain and are located at the same site. Most of the year the office supports about 40 users. 9. What should you do? .APPLYING THIS CHAPTER 393 8. that number grows to 150. they often have questions. (c) The company is planning to upgrade to Exchange Server 2007. You want to be able to help them with their problems without leaving your desk. the RDP protocol uses 128-bit encryption on a computer running Windows Server 2003. They are also running Microsoft Office 2003. True or false? Applying This Chapter 1. True or false? Both Telnet and SSH can be used with smart card authentication. 10. The client computers are running Windows XP Professional with Service Pack 2. Explain why that is the most appropriate choice. you want to be able to restart it from home. What should occur before the upgrade? (d) You are concerned about unauthorized changes to Active Directory objects. What is the least expensive way to meet this requirement? (f) When temporary employees are working at the site. What task can you perform? (a) kill a process (b) configure IP addressing (c) restart the server (d) display a list of running processes You can use a terminal concentrator to connect multiple servers for outof-band management. The additional users are supported using rented computers. 11. The business is a seasonal business.

How can you ensure that only you and the web server are accessing the database server? 394 . You are designing the configuration control plan for the servers. What is the best way to achieve these requirements? 4.m. Identify the remote management requirements for this environment and describe how you would address them. The web application must have around-the-clock uptime. 3. Both servers are running Windows Server 2003. 5. List some configuration items. SSL is used to encrypt communication between the clients and the web server and between the web server and the database server. You want to ensure that only your laptop computer is used to log on to the database server remotely and that data is encrypted. The web server is located on the perimeter network. 2. and 7 a. There are no IT administrators on-site between 8 p.m. Discuss the drawbacks to enabling Automatic Updates on the web server. 1. The database server is a headless server and is located on the internal network in a locked server room.YOU TRY IT Ongoing Management for a Web Solution You manage a website. You need to be able to use the database management system user interface to manage the database server once a month. The website includes a web server and a database server.

What You’ll Learn in This Chapter ▲ ▲ ▲ ▲ ▲ ▲ ▲ Business continuity planning Disaster recovery planning Incident response planning Backup and restoration planning Redundant Array of Independent Disks (RAID) Storage area networks (SANs) Server clusters After Studying This Chapter. You’ll Be Able To ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Identify the purpose of a business continuity plan Identify the purpose of a disaster recovery plan Describe the methods of testing a disaster recovery plan Identify the purpose of an incident response plan List the steps you should take when responding to a security incident Create a backup strategy Compare and contrast various RAID implementations Identify a situation in which a SAN would be used Identify a situation in which you would implement a server cluster . Determine where you need to concentrate your to assess your knowledge of disaster recovery and fault tolerance.wiley.11 DISASTER RECOVERY AND FAULT TOLERANCE Starting Point Go to www.

The chapter concludes by examining fault tolerance. minor attacks. you should always prepare for the worst. they are not the only threat your network faces.1.1 Business Continuity Planning The primary purpose of business continuity planning is to reduce the risk of financial loss and to enhance a company’s capability to recover promptly from a disruptive event.396 DISASTER RECOVERY AND FAULT TOLERANCE INTRODUCTION Regardless of all your mitigation efforts. Natural disasters. attacks are going to happen. The business continuity plan should also help minimize the cost and mitigate the risk associated with the disruptive event. 11. This chapter looks at the policies you should have in place to help you deal with worst case scenarios.1 Planning for the Worst A wide variety of events can impact the operations of a business and the information systems used by that business. Examples of disruptive events include the following: ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Sabotage Arson Security incidents Strikes Bombings Earthquakes Fire Floods Fluctuations in or loss of electrical power Storms Communication system failures Unavailability of key employees This chapter examines three types of policies that can help a business continue to operate and recover from a security incident or other disruptive event: a business continuity plan. . And unfortunately. or even natural disasters. fires. These events can be either natural or manmade. 11. The chapter then discusses some guidelines for creating a backup and restore plan. When planning your network security. and a disaster recovery plan. an incident response plan. and equipment failure also threaten the availability of your network.

enterprise-wide awareness of the plan. The purpose of a business impact assessment is to create a document that will be used to help understand what impact a disruptive event would have on the business. such as the inability to respond to customer complaints). It entails creating the scope for the plan and the other elements needed to define the parameters of the plan. Scope activities could include creating a detailed account of the work required. and test the plan. plan testing.11. such as workstations and laptops.1 PLANNING FOR THE WORST 397 Business continuity plans should evaluate all critical information processing areas of the organization. 2. The committee initially defines the scope of the plan. and personnel procedures. implement. The committee is made up of representatives from senior management. and defining the management practices to be employed. Scope and plan initiation: creation of the scope and the other elements needed to define the parameters of the plan. storage media. A business continuity planning committee should be formed and given the responsibility to create. The business continuity planning process consists of four phases: 1. Business impact assessment: a process to help business units understand the impact of a disruptive event. This process includes the areas of plan implementation. 3. servers. Business Impact Assessment A business impact assessment is a process used to help business units understand the impact of a disruptive event. which should deal with how to recover promptly from a disruptive event and mitigate the financial and resource loss. Scope and Plan Initiation The scope and plan initiation phase is the first step to creating a business continuity plan. This phase includes the execution of a vulnerability assessment (similar to a risk assessment). networks. all functional business units. listing the resources to be used. information systems. and implementation of a maintenance procedure for updating the plan as needed. This phase includes an examination of the company’s operations and support services. These elements are discussed in more detail in the following sections. application software. and ongoing plan maintenance. . Plan approval and implementation: final senior management sign-off. The impact might be financial (quantitative) or operational (qualitative. Business continuity plan development: development of the business continuity plan. and security administration. 4.

that is. The vulnerability assessment should address critical support functions such as the physical infrastructure. (d) Incurring financial loss due to violation of regulatory or compliance requirements. and telecommunications systems. or incurring public embarrassment. Perform the vulnerability assessment. The vulnerability assessment is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan and disaster recovery plan. 3. 3. what is the longest period of time a critical process can remain interrupted before the company can never recover? It is often found during the business impact assessment process that this time period is much shorter than expected. Prioritization of critical systems: Every critical business unit process must be identified and prioritized. or personal liability resolution. with the most time-sensitive processes receiving the most resource allocation. Gather the appropriate assessment materials. accounting. Estimation of downtime tolerance: The business impact assessment is used to help estimate the maximum tolerable downtime that the business can tolerate and still remain a viable company. (b) The loss of public confidence or credibility. and the impact of a disruptive event must be evaluated. You should also determine the factors that make the business successful. Identification of resource requirements: The resource requirements for the critical processes are identified at this time. 2. (b) The additional operational expenses incurred due to the disruptive event. 2. capital expenditure. The vulnerability assessment usually includes quantitative (financial) and qualitative (operational) sections. Quantitative loss criteria include the following: (a) Incurring financial losses from loss of revenue. Typical qualitative loss criteria include the following: (a) The loss of competitive advantage or market share. The business impact assessment process begins by identifying the critical business units and their interrelationships. Analyze the compiled information. A business impact assessment is usually conducted in the following manner: 1. payroll. (c) Incurring financial loss due to violation of contractual agreements.398 DISASTER RECOVERY AND FAULT TOLERANCE A business impact assessment has three primary goals: 1. Analyzing the information as part of the business impact assessment includes the following: .

When a disaster strikes. summarize the quantitative and qualitative impact statements. create enterprise-wide awareness of the plan. Plan Approval and Implementation The object of this activity is to obtain the final senior management sign-off. employee turnover. ▲ Senior management approval: Because senior management is ultimately responsible for all phases of the business continuity plan. they must have final approval. audit procedures should be put in place that can report regularly on the state of the plan. 11. and ongoing plan maintenance. . along with the associated recommendations. plan testing. procedures. such as reorganization. Specific training might be required for certain personnel to carry out their tasks. 4. list the identified critical support areas. This process includes plan implementation. or upgrading of critical resources. ▲ Plan awareness: Enterprise-wide awareness of the plan is important and emphasizes the organization’s commitment to its employees. a business continuity plan might become outdated. analyses. ▲ Plan maintenance: Because of uncontrollable events. and implement a maintenance procedure for updating the plan as needed. (c) Determining acceptable interruption periods. The report will contain the previously gathered material. and results should be documented and presented to management.11. (b) Documenting required processes.1 PLANNING FOR THE WORST 399 (a) Identifying interdependencies.2 Disaster Recovery Planning Disaster recovery planning is concerned with the protection of critical business processes from the effects of major information system and network failures. Business Continuity Plan Development The business continuity plan is developed by using the information collected in the business impact assessment to create the recovery strategy plan that will support the critical business functions. by quickly recovering from an emergency with a minimum impact to the organization. Any costs for implementing the plan would also need to be approved at this point. relocation. Document the results and present recommendations.1. and provide the recommended recovery priorities generated from the analysis. All processes. Also. plan maintenance techniques must be employed from the outset to ensure that the plan remains fresh and usable. Whatever the reason. senior management must be able to make informed decisions quickly during the recovery effort.

Table 11-1 summarizes the rating classes and associated recovery time frame objectives. Determining Recovery Time Objectives Early in the disaster recovery planning process. When determining how to rate a particular function or system. during. Developing the Disaster Recovery Plan This first step involves developing the recovery plans and defining the necessary steps required to protect the business in the event of a disaster. Disaster recovery plans are the procedures for responding to an emergency. and managing recovery and salvage processes afterwards. you should consider the quantitative cost associated with downtime.400 DISASTER RECOVERY AND FAULT TOLERANCE A disaster recovery plan is a comprehensive statement of consistent actions to be taken before. testing the plan. These tools can improve productivity by providing formatted templates customized to the particular organization’s needs. The disaster recovery planning process involves developing the disaster recovery plan. Another objective of a properly executed disaster recovery plan is to allow the business to implement critical processes at an alternate site and to return to the primary site and normal processing within a time frame that minimizes the loss to the organization. Automated tools are available to assist in the development of the disaster recovery plan. any service level agreements you have in place with customers. providing extended backup operations during the interruption. and executing it in the event of an emergency. all business functions and critical systems must be examined to determine their recovery time requirements. Recovery time objectives are assigned to each function or system in order to guide the selection of alternate processing procedures. should an organization experience a substantial loss of processing capability. and after a disruptive event that causes a significant loss of information systems resources. and other costs that might be incurred Table 11-1: Recovery Time Frames Rating AAA AA A B C D Recovery Time Frame Immediate Full functional recovery within 4 hours Same business day Up to 24 hours downtime permitted 24 to 72 hours downtime permitted Greater than 72 hours downtime acceptable .

therefore. how quickly the site can be used as an alternate processing site. creating a distributed approach to redundancy and sharing of available resources. the higher that system should be rated. software. This type of site is rarely useful in an actual emergency. This site would be a duplicate of the original site and might only require synchronization of the most current data to duplicate operations. and air conditioning (HVAC) that has no computing systems installed and. ▲ Hot site: a site with all required computer hardware. The more loss associated with a system being down. Establishing Backup Sites An important component of disaster recovery planning is maintaining a backup site that provides some degree of duplication of computing resources located away from the primary site. ▲ Multiple centers: In this scenario. Although appealing.11. ventilation. capacity at either facility might not be available when needed. and cold sites are the most common types of remote off-site backup processing facilities. ▲ Rolling or mobile backup: Contracting with a vendor to provide mobile power and HVAC facilitates sufficient to stage the alternate processing. would require a substantial effort to install the hardware and software required to begin alternate processing. They are differentiated by how much preparation is devoted to the site and. but without the current data set. Also. and peripherals ready to begin alternate processing either immediately or within an acceptably short time frame. ▲ Warm site: an alternate processing facility with equipment installed. These multiple centers could be owned and managed by the same organization (in-house sites) or used in conjunction . therefore. Both parties agree to support each other in the case of a disruptive event by providing alternative processing resources to the other party. this is not a good choice if the emergency affects both parties. The characteristics of each of these sites are given as follows: ▲ Cold site: a designated computer operations room with heating. Hot sites. The types of backup sites are differentiated primarily by the extent to which the primary computing resources are replicated. Additional options for providing backup capabilities include the following: ▲ Mutual aid agreements: An arrangement with another company that might have similar computing needs. the processing is spread over several operations centers. warm sites.1 PLANNING FOR THE WORST 401 by the system being down. such as loss of reputation or possible litigation.



with a reciprocal agreement. If the centers are all owned by the same organization, the additional servers can also help manage the normal load. ▲ Service bureaus: An organization might contract with a service bureau to fully provide alternate processing services. The advantages of this type of arrangement are the quick response and availability of the service bureau, the possibility of testing without disrupting normal operations, and the possible availability of the service bureau for additional support functions. The disadvantages of this type of setup are the expense and the potential for resource contention during a large emergency.
Plan Testing

The disaster recovery plan must be tested and evaluated at regular intervals. Testing is required to verify the accuracy of the recovery procedures, verify the processing capability of the alternate backup site, train personnel, and identify deficiencies. The most common types of testing modes, by increasing level of thoroughness, are as follows: ▲ Checklist review: The disaster recovery plan is distributed and reviewed by business units for its thoroughness and effectiveness. ▲ Tabletop exercise or structured walk-through test: Members of the emergency management group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios by stepping through the plan. ▲ Walk-through drill or simulation test: The emergency management group and response teams actually perform their emergency response functions by walking through the test, without actually initiating recovery procedures. ▲ Functional drill: This approach tests specific functions, such as medical response, emergency notifications, warning and communications procedures, and equipment, although not necessarily all at once. It also includes evacuation drills, where personnel walk the evacuation route to a designated area where procedures for accounting for the personnel are tested. ▲ Parallel test or full-scale exercise: A real-life emergency situation is simulated as closely as possible. It involves all of the participants that would be responding to the real emergency, including community and external organizations. The test might involve ceasing some real production processing. ▲ Full-interruption test: Normal production is shut down and the disaster recovery processes are fully executed. This type of test is dangerous and, if not properly executed, can cause a disaster situation.



Implementing the Plan

If an actual disaster occurs, there are three options for recovery: ▲ Recover at the primary operating site. ▲ Recover to an alternate site for critical functions. ▲ Restore full system after a catastrophic loss. Two teams should be organized to execute the recovery: the recovery and salvage teams. The functions of these teams are as follows: ▲ Recovery team: restore operations of the organization’s critical business functions at the alternate backup processing site. The recovery team is concerned with rebuilding production processing. Getting a business’s critical functions back online should be the highest priority task. ▲ Salvage team: repair, clean, salvage, and determine the viability of the primary processing infrastructure immediately after the disaster. The disaster recovery plan should also address other concerns such as paying employees during a disaster, preventing fraud, media relations, and liaison with local emergency services.
11.1.3 Designing an Incident Response Procedure

The recovery plan is used in the event of a natural disaster or other catastrophic event. However, to respond to a security incident, you need a plan that specifically deals with the issues involved with recovering from a security incident. This is known as a Computer Security Incident Response Plan (CSIRP) and should provide you with the information you’ll need at the moment that an attack is discovered or suspected. It should contain a list of the names and numbers of those to be notified. The first step in putting together a CSIRP is to build a team referred to as a Computer Security Incident Response Team (CSIRT). It is extremely important that each member of the team be given a finite scope of responsibility. It is always a good idea to include a broad range of skills on the team. A good team would include a network administrator who knows the topology of the network, a server administrator who knows the configuration of the servers, a desktop administrator who knows the configuration of the desktop workstations in the organization, an application specialist who is familiar with the applications that are running on the workstations and the servers, a security specialist whose main focus is on securing the organization, a team leader to facilitate the chain of communication, and a manager who has the authority to make a decision not covered by the plan.



Table 11-2: Severity Classifications Severity 1 Example(s) A small number of users receive an email with a virus attachment, which is caught by antivirus software on the computer. A small number of scans detected on perimeter systems along with information concerning which computers will be targeted. A large number of scans detected on perimeter systems; zero affect on production systems. A large number of computers infected with a known computer virus that is handled by antivirus software. Small number of isolated computers infected with unknown computer virus. A breach of perimeter systems or successful denial-of-service attack with minimal impact on production. A breach of perimeter systems or successful denial-of-service attack with major impact on production systems; poses a significant chance of financial or public relations damage.

2 3

4 5

Security Classifications

Once the entire team has been formed, the next step is to determine the severity level you’ll assign to certain types of incidents. As you might imagine, some security incidents might not require the entire team being brought in. For example, an incident such as a small virus infecting a single computer would certainly not warrant the whole CSIRT to resolve the problem. There must be clear definitions of what severity an incident is and therefore who needs to work to resolve the issue. Table 11-2 shows an example of severity classification for ABC Corporation with some examples. Based on Table 11-2, incidents with a severity of 3 or greater would result in the activation of the CSIRT, incidents with lower severity levels would be handled without the intervention of the incident response team. Instead, a network administrator or desktop support person would respond to resolve the problem.
Communication Procedure

The procedure should include a determinate chain of notification or communication procedure that describes how the information can flow to everyone who might be affected by the incident. One of the best ways to avoid mistakes when reacting to an incident is to have a procedure that spells out how the



information should be disseminated to the various members of the team as well as to notify those individuals in need-to-know roles. Communication is key to the success of your security response team in properly defending and effectively reacting. For example, a scenario in which you suspect an employee is selling information to competitors typically spurs an internal investigation by the security team to audit the critical resources that are being leaked. Without a procedure specifying whom to notify, the workstation of the employee could be re-imaged by a desktop administrator, which would obviously erase most of the evidence on the machine. The desktop administrator should be made aware of the breach in security and trained well enough to know that re-imaging the workstation hard drive is not the appropriate response in this situation.
Methods of Responding to an Attack

There are typically two techniques for responding to an attack. One is to shut down or disconnect the system(s) that have been compromised (not the router that they came in through, unless it has been compromised). Shutting down or disconnecting the system(s) allows you to preserve the evidence before the attacker has the opportunity to hide his or her tracks. The other option is to isolate the system(s) so that you can monitor the activity of the attacker in order to gather more evidence and at the same time prevent other systems from being attacked. This option does, however, come with significant risk. The attacker might notice the changes, eliminate the evidence, and stop the attack. Allowing the attacker to continue, even in an isolated environment, should be an option only for a highly skilled security expert.
Incident Response Procedure Steps

The incident response procedure should include details for the following steps, with as much specific information as possible: 1. Declare the incident. The response procedure should include the conditions that must be met for an incident to be declared, as well as who is responsible for making the declaration. When an incident occurs that requires the team to respond, it should be declared. Typically, the team manager would be the individual making the declaration, and he or she would notify upper management that a security incident has occurred. The team manager would also be the person responsible for communicating the incident to the rest of the team. 2. Analyze the incident. The incident will need to be analyzed to determine the scope of the breach. It is at this stage that the details of the incident will be recorded. 3. Contain or resolve the incident. Depending on the type of incident that occurs, you might need to quarantine the systems that have been




5. 6.



compromised. Should a solution exist that can be applied and alleviate the situation, it should be carried out. Fixing the problem is better than containing it. Resolve the problem. If the previous step led only to containment, the next step is to resolve the problem. This might begin with cleaning a system and then applying a patch or a service pack. Prevent reoccurrence of problem. Take the appropriate steps to prevent the system(s) from being compromised again. Document events. Log all of the events that have taken place, from the discovery of the breach to resolution. This documentation will be used in the post-incident evaluation. Preserve evidence. Be sure to retain as much evidence as possible. As previously stated, this data can be used by the authorities to capture the attacker. The evidence can also be used to prevent future attacks that exploit similar vulnerabilities. It might be necessary to preserve the computer system as evidence, at least for a while, and to replace it with another computer. Conduct a post-incident evaluation. Gather the team after the incident has been resolved to review all of the information that was collected. Identify areas in which the team could improve its response and paths of communication. Determine if a post-incident report should be provided to management and users.

A Incident Response Procedure Will Prevent Mistakes The first time that Steve fell victim to an external attack, he panicked and immediately shut down the router that the attacker entered through—he literally unplugged it. That was a knee-jerk reaction under the stress that obviously comes with being attacked. Turning off the router not only disconnected the attacker, it also stopped Internet email from entering the organization and prevented the company’s users from sending external email and accessing the Internet entirely. Fortunately, the attackers (Steve found out later that it was significantly more than one) were only able to gain access to the company’s public FTP servers and used them only to store and share files across the Internet. Had there been a well-documented procedure dictating his response, Steve wouldn’t have made such monumental mistakes. You will want to make sure that you have a procedure in place to prevent your response staff from making those mistakes.



1. Describe the purpose of a business continuity plan. 2. Describe the purpose of a disaster recovery plan. 3. Describe the purpose of a CSIRP.

11.2 Creating a Backup Strategy
If an incident, disaster, hard disk crash, or other catastrophic system failure occurs, you need to be able to recover data and services as quickly as possible. In many cases, this will mean reformatting and restoring from backup. Having a reliable backup strategy is essential to ensuring you can recover. This section discusses some guidelines for making sure your backup strategy can meet your business’s recovery time frame requirements.
11.2.1 Analyzing Backup Requirements

When designing a backup strategy, the most important point is to ensure that your strategy is in line with the business’s operational and data security requirements. As with other design tasks, the first step you must take is to analyze these requirements. You must identify the following: ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ Recovery time frame requirements for each server on the network. The data stored on each server and on client workstations. How frequently each type of data changes. How the data is stored—is it in files or a database? Disk space required for the backup. The amount of data loss that can be tolerated if an incident occurs. Confidentiality requirements for the data. Is the data encrypted? How quickly the data needs to be brought back online. The cost of data loss, which includes the time necessary to reenter or recreate data.

You need to consider transactional data, such as that stored in a relational database; dynamic data, such as email on a store and forward server (a server that stores messages until they are picked up by the user or forwarded to the next email server on the route to its destination); documents stored on servers and on user workstations; server configuration data; and directory services and



Figure 11-1

Data backup requirements spreadsheet.

user account data. If you have a public key infrastructure (PKI), you will also need a backup of all certificates. You will need to take special care to protect the backup of the root server certificate. If you use Encrypting File System (EFS) or another data encryption method, you will need to ensure that the certificates used to encrypt the data are also backed up. When analyzing data backup requirements, you might want to use a spreadsheet like the one shown in Figure 11-1.
11.2.2 Backing Up System Configurations

You need to be able to ensure that you can recover each computer on the network to the state it was in before it was compromised or before a disaster occurred. This means having a reliable system configuration backup. On a Windows® computer, this backup is known as a system state backup. A system state backup on a domain control includes the directory services database. You will also need to make sure you have a backup of any applications and application settings. The best way to do this is to periodically create a full backup (a backup of everything) of each server or to create an image using a utility like Symantec™’s Ghost™ (a utility used to create a snapshot image of a computer’s configuration that can be applied at a later time or to create an identical computer configuration). For client computers that have a standard configuration, creating an image using Ghost is a good way to ensure that you can quickly restore the client computer to a basic configuration. Remember that the image or full backup might not include the latest security updates, so make sure to apply them before connecting the computer to the network.
11.2.3 Choosing a Backup Tool

Another decision you will need to make is what tool to use to perform backups. Most operating systems include a backup utility. For example, Windows includes Windows Backup, shown in Figure 11-2. Windows Backup allows you to select files and folders to back up, to back up system state, and to schedule recurring backups. It supports volume shadow copy,



Figure 11-2

Windows Backup utility.

which allows you to back up files even if they are in use. There is also a command-line version of Windows Backup, called ntbackup. There are also a number of third-party applications that can be used to perform backups. These applications differ in the features they support. For example, Mondoarchive supports backup of a Linux computer and is included with the Knoppix® distribution. Some applications, such as database management systems, also include a backup feature. When they do, it is often best to create a backup using the application’s software.
11.2.4 Choosing the Backup Media

Another important decision you need to make is the destination media for your backups. Your choice will depend on a number of factors, including the following: ▲ Media types supported by the backup tool. ▲ Cost.



▲ ▲ ▲ ▲

Storage capacity. Whether you need to run unattended backups. Security requirements. Off-site storage requirements.

Most backup solutions support backing up to a tape drive or network share. Some also support backing up to a CD. It is a good idea to keep a backup at a different location to ensure you can recover from a fire, flood, or other incident that affects the physical site. To do so, you will need to back up to removable media, such as a tape or CD, or burn the backups to a CD periodically. A backup kept at a different location is known as an off-site backup. When backing up confidential data, you need to ensure that the backup media is physically secure. You should also protect backups by using a strong password.
11.2.5 Determining the Types of Backups

A full backup of data can be very time consuming and use a lot of disk space. Therefore, you will probably want to combine periodic full backups with supplemental backups. Two types of supplemental backups are common: ▲ Differential backup: A differential backup backs up all data that has changed since the last full backup. ▲ Incremental backup: An incremental backup backs up all data that has changed since the last full or incremental backup. The time necessary to perform differential and incremental backups are compared in Figure 11-3.

Figure 11-3 Time required to back up Full backup 1st differential backup 2nd differential backup 1st incremental backup 2nd incremental backup

Relative time to perform backup.



Figure 11-4

Restore full backup

Restore full backup

Restore 1st incremental backup

Restore 2nd differential backup

Restore 2nd incremental backup Restoration process.

The advantage to a differential backup is that you only need to restore two backups to restore the system: the full backup and the differential backup. The advantage to the incremental backup is that backups take less time and require less disk space. However, when restoring the computer, you need to apply the full backup and each incremental backup since the full backup. The restoration process is shown in Figure 11-4. When backing up transactional data, such as that stored in a relational database, you can perform a transaction log backup, which creates a backup of the actions that have occurred on the data. A relational database management system writes changes to a file, known as a transaction log, before they are written to the database. A transaction log backup allows you to perform very frequent backups and to recover with minimal data loss. When recovering a database, you restore the database backup and then apply the transaction log backups in the order in which they are taken. If you were able to create a tail-log backup (a backup of the current transaction log) before backing up the database, you will apply that backup last and no data loss will occur. The procedure for restoring a transactional database is shown in Figure 11-5.
11.2.6 Determining Backup Frequency

Another key concern when designing a backup strategy is determining how frequently data needs to be backed up. This is one place your spreadsheet will come in handy because different data will have different backup frequency requirements, depending on the following:



Figure 11-5

Can transaction log be backed up? Create tail-log backup Restore database

Restore oldest transaction log backup

Restore next transaction log backup

Restore newest transaction log backup

Tail-log backup? Restore tail-log backup

Database restoration process.

such as a tape backup. However. Therefore. 11.2 CREATING A BACKUP STRATEGY 413 ▲ How often the data changes. the Mondoarchive program must run under the superuser account. someone needs to be responsible for changing the tape when it becomes full. you might need to perform a daily full backup and hourly incremental backups of this data. if you are backing up to removable media. For example. For example.11. that means the user must have either Read permission or the Back up files and directories user right (see Figure 11-6). Most network operating Figure 11-6 The Back up files and directories user right. Another consideration is that the backup operation must run under the security context of a user account. That user account must have permission to perform the backup. Permissions will vary for other backup programs.7 Assigning Responsibility for Backups You will most likely want to automate backups so that they run on a scheduled basis. ▲ Business tolerance for data loss. Backing Up Data on Client Computers Implementing a reliable backup strategy that includes the data on client computers is difficult unless the data is stored on a central server. . you might need to back up the graphics files for the marketing department only once a week because they rarely change. the online order system and inventory database files change rapidly and there is little tolerance for data loss. On a Windows system.2. However. Someone must also be responsible for auditing the backup process to make sure backups are run and for periodically testing the backups to ensure they can be restored if necessary.

differential backup. This allows users to access their data when not connected to the network. Compare full backup. which copies a file when it is changed and allows users to recover from user errors and file corruption. If remote servers are running the Snap Enterprise Data Replicator (Snap EDR) agent. Shadow copy does not protect against hard disk failure. how can you be sure that resources at those locations are being backed up? Some vendors offer solutions for backing up servers that are geographically distributed. SELF-CHECK 1. while still allowing administrators to back up the data. When this is the case. Compare shadow copy and volume shadow copy. and incremental backup. It provides a centralized backup location. Some of these locations might not even have an IT person on staff.414 DISASTER RECOVERY AND FAULT TOLERANCE FOR EXAMPLE Backups in a Distributed Environment Many companies have resources dispersed across multiple geographic locations. users can also take advantage of shadow copy. 2. 11. You should periodically test recovery procedures using a test system. systems allow you to store user data on a server. Some operating systems. The more familiar those responsible are with recovery procedures. Doing so will help verify that your backup strategy is consistent and that employees understand the steps necessary for recovery. such as Windows XP and Windows Vista™. One example is Adaptec®’s Snap Server™. . the less likely they are to make a mistake when under the pressure of a real security incident or disaster. If the data is stored on a computer running Windows Server 2003 or Windows Vista.2. data can be automatically replicated to the Snap Server. have built-in support for synchronizing this centralized data with data stored on the client computer.8 Testing Recovery A key element in your backup strategy should be guidelines for recovery of each system. A solution like this also off-loads the backup storage to a separate server.

or network Figure 11-7 DNS Server Database Server File Server Clients File and Print Server Authentication Server Network with single points of failure. or even a disaster. 11. many businesses today require 24ϫ7 availability (around-the-clock) for at least some of the resources on their network.3 DESIGNING FOR FAULT TOLERANCE 415 11.11. install applications.3 Designing for Fault Tolerance With Internet connectivity and global operations. some companies offer Service Level Agreements (SLAs) that put limits on how long a resource can be unavailable in the event of a security incident. install an operating system. but only to introduce you to the terms and concepts. The section concludes with a look at server failover. A single point of failure is a server. and restore data from backup. . What happens if the database server fails? What happens if the domain name system (DNS) server is compromised? How long will it take for business operations to resume? The answer to these questions depends on how long it will take to obtain a computer. If you manage a network that includes these types of resources. What if the database server stores patient medical records for a hospital? Chances are the time to restore the database server will be too long. This section begins by discussing the concept of a single point of failure. you need to design a fault tolerant solution to ensure you can meet the availability requirements. The problem with this network is that it has a number of single points of failure. hardware component. system failure.1 Eliminating Single Points of Failure Consider the network in Figure 11-7. In addition. It then moves on to discuss fault tolerant solutions for data storage. The purpose of this section is not to make you an expert in designing fault tolerant solutions.3.

3.416 DISASTER RECOVERY AND FAULT TOLERANCE device that is not redundant (duplicated). performance. A RAID solution involves using multiple disks to improve reliability and performance. we’ll look at how storage area networks can provide additional fault tolerance for data storage. including availability requirements. In the case of a file server. We’ll look first at the RAID levels and then look at the trade-offs between software and hardware RAID implementations. If something happens to that component. When selecting a RAID solution. Finally. In the case of a domain controller or DNS server. . each offering different levels of protection. it can prevent users from accessing the network at all. that might not be a problem. A RAID solution cannot be used to recover from a security incident. 11. However. Your choices will depend on a number of factors. ▲ Whether to use software or hardware RAID. These levels are ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ RAID RAID RAID RAID RAID RAID RAID RAID RAID 0: disk striping 1: disk mirroring 1E: striped mirror 5: striping with parity 5EE: hot space 6: striping with dual parity 10: striped RAID 1 arrays 50: striped RAID 5 arrays 60: striped RAID 6 arrays Let’s take a brief look at how each of these works.2 Selecting Fault Tolerant Storage One of the primary ways companies can improve availability is to invest in a Redundant Array of Independent Disks (RAID) solution for servers that require high availability or that contain data that cannot be lost due to drive failure. 11. the service it provides will not be available until the component is replaced.3 RAID Levels There are multiple levels of RAID. performance requirements. The first step when designing a fault tolerant solution is to identify the single points of failure on your network.3. you need to choose the following: ▲ RAID level. and disk capacity. and budget. Then you can determine how to mitigate the risk of that system failing or being compromised. it should not be viewed as a replacement for regular backups. capacity requirements.

RAID 1: Disk Mirroring RAID 1 (disk mirroring) provides fault tolerance by writing all data to two disks. It can tolerate failure of a single hard disk.3 DESIGNING FOR FAULT TOLERANCE 417 Figure 11-8 Logical volume data 1 data 3 data 5 data 7 RAID 0. Figure 11-9 Logical volume data 1 data 2 data 3 data 4 RAID 1. RAID 0 allows you to use 100% disk capacity for storage. performance degrades to the level provided by a single disk. as shown in Figure 11-9. RAID 1 offers excellent read performance and good write performance when both disks are functioning. data 1 data 2 data 3 data 4 . Its main benefit is that it offers better performance because data can be read from and written to multiple disks simultaneously. data 2 data 4 data 6 data 8 RAID 0: Disk Striping RAID 0 (disk striping) is not actually a fault tolerant solution. During failure and recovery. The primary disadvantage to RAID 1 is that it allows you to use only 50% of the total disk capacity. RAID 1 requires exactly two disks. It is a disk array in which data is striped across multiple hard disks as shown in Figure 11-8.11.

You must have at least three disks to implement RAID 1E.418 DISASTER RECOVERY AND FAULT TOLERANCE Figure 11-10 Logical volume data 1 data 3 data 4 data 6 data 2 data 1 data 5 data 4 RAID 1E. A parity stripe is calculated from the data using an exclusive or (XOR) function. This is illustrated in Figure 11-11. as shown in Figure 11-10. Like RAID 1. Its primary advantage is that you can include an odd number of disks in the array. data 3 data 2 data 6 data 5 RAID 1E: Striped Mirror RAID 1E (striped mirror) is a combination of RAID 0 and RAID 1. RAID 5: Striping with Parity RAID 5 (striping with parity) works by striping data across the nϪ1 drives in the array and including a parity stripe on the drive that does not include data from that stripe. it can tolerate failure of a single disk and allows you to use only 50% of the total disk capacity. A stripe is written to 1 disk and mirrored to the next disk in the array. where n is the number of drives in the array. data 2 parity data 6 data 8 . Figure 11-11 Logical volume parity data 3 data 5 parity data 1 data 4 parity data 7 RAID 5.

The primary benefit to a RAID 5 array is disk capacity. Between 67% and 94% of total capacity can be utilized. It does this by writing both a parity stripe and a spare stripe. This makes another disk available for read operations. and can improve read performance by approximately 25%. spare parity data 8 data 11 parity data 6 data 9 spare RAID 5 protects against the failure of a single drive. as shown in Figure 11-13. depending on the number of drives in the array. When using RAID 5EE. which is a drive that is automatically added to the array when a disk fails. Using a hot spare can decrease the amount of time the system operates with a failed drive and can decrease the likelihood that a second drive will fail before the stripe set is regenerated. like RAID 5.11. depending on the number of drives in the array. It offers excellent read performance.3 DESIGNING FOR FAULT TOLERANCE 419 Figure 11-12 Logical volume data 1 data 4 data 7 spare data 2 data 5 spare parity data 3 spare parity data 10 RAID 5EE. you must have between 4 and 16 drives. Available capacity will be between 50% and 88%. as shown in Figure 11-12. Some RAID 5 implementations include a hot spare. RAID 6: Striping with Dual Parity RAID 6 (striping with dual parity) is implemented by writing parity stripes to two disks instead of to just one. RAID 5EE can only protect against the failure of a single drive. However. but the write performance is somewhat degraded because of the calculation of the parity stripe. Performance during disk failure and recovery is also degraded. A RAID 5 array can support between 3 and 16 drives. they can share a single hot spare drive. If you have multiple RAID 5 arrays. Its primary advantage is that two hard disk failures can occur without loss of data. Its disadvantage is . RAID 5EE: Hot Space RAID 5EE (hot space) builds on the idea that many RAID 5 implementations use a hot spare and includes that hot spare as an active drive in the drive array.

RAID 10: Striped RAID 1 Arrays RAID 10 (striped RAID 1 arrays) works by creating a RAID 0 array from two or more RAID 1 mirror sets. parity parity data 8 data 11 parity data 6 data 9 parity that capacity is nϪ2 instead of the nϪ1 capacity provided by RAID 5. as shown in Figure 11-14. RAID 6 can be implemented with 4 to 16 disks. This strategy provides Figure 11-14 Logical volume data 1 data 3 data 5 data 7 data 2 data 4 data 6 data 8 data 1 data 3 data 5 data 7 RAID 1 data 1 data 3 data 5 data 7 data 2 data 4 data 6 data 8 RAID 1 RAID 10. with available capacities between 50% and 88%. data 2 data 4 data 6 data 8 .420 DISASTER RECOVERY AND FAULT TOLERANCE Figure 11-13 Logical volume data 1 data 4 data 7 parity data 2 data 5 parity parity data 3 parity parity data 10 RAID 6. depending on the number of disks.

The primary Figure 11-15 Logical volume data 1 data 3 data 5 data 7 data 9 data 11 data 13 data 15 data 2 data 4 data 6 data 8 data 10 data 12 data 14 data 16 parity data 5 data 9 parity data 1 data 6 parity data 13 RAID 5 data 2 parity data 10 data 14 parity data 7 data 11 parity data 3 data 8 parity data 15 RAID 5 data 4 parity data 12 data 16 RAID 50. RAID 50: Striped RAID 5 Arrays RAID 50 (striped RAID 5 arrays) works by creating a RAID 0 stripe set from multiple RAID 5 arrays. depending on the number of drives in the subarrays. and Linux. It protects against failure of up to one drive in a RAID 5 subarray. as shown in Figure 11-15. It requires at least 6 drives and allows you to use between 67% and 94% of capacity. It protects against failure of up to two disks in each subarray. and better performance when a drive fails because data can still be read from and written to multiple drives due to the RAID 0 striping. including Windows Server 2003. The primary disadvantage is that only 50% of drive capacity is available for data storage. 11. offer at least some levels of software RAID. RAID 60: Striped RAID 6 Arrays RAID 60 (striped RAID 6 arrays) works by creating a RAID 0 stripe set from multiple RAID 6 arrays.11. . RAID 10 is sometimes called RAID 0؉1. depending on the number of drives in the subarrays. NetWare®.4 Choosing Between Hardware and Software RAID Most current network operating systems. as shown in Figure 11.3. It requires at least 8 drives and allows you to use between 50% and 88% of capacity.3 DESIGNING FOR FAULT TOLERANCE 421 two benefits: better fault tolerance because it can tolerate failure of one drive in each mirror set.16.

Another drawback is that RAID protection is not offered during the boot process.. Operating system RAID can impact performance because the processor must perform RAID calculations. A stand-alone disk subsystem. 4. There are four other options that offer better performance and better availability: 1. you install either a host bus adapter (HBA) that includes a RAID BIOS chip or a RAID BIOS chip on the motherboard . Hardware-assisted software RAID.422 DISASTER RECOVERY AND FAULT TOLERANCE Figure 11-16 Logical volume data 1 . Let’s look at each of these. Hardware RAID on a controller card.. benefit to using built-in software RAID is that it is included with the operating system so your only cost will be the cost of the disk drives. data 12 data 13 .. data 24 RAID 0 data 1 data 4 parity data 7 data 10 parity data 2 data 5 parity data 8 data 11 parity RAID 6 data 3 data 5 parity data 9 data 12 parity data 13 data 16 parity data 19 data 22 parity data 14 data 17 parity data 20 data 23 parity RAID 6 data 15 data 18 parity data 21 data 24 parity RAID 60. 2. meaning that the only RAID type supported on an operating system boot volume is RAID 1. 3. Hardware RAID on the motherboard. Hardware-assisted Software RAID With hardware-assisted software RAID..

Its storage space can be shared by multiple servers. but offers better protection because it is not vulnerable to viruses and will not lose data during a power loss as write operations in progress are logged in non-volatile storage.11. This configuration is more expensive than hardware-assisted RAID. Some of the RAID processing is performed by the RAID chip. This is known as RAID-on-Chip technology. A SAN device is a storage device that is directly attached to the network. This means that storage can be centralized for management.3. The performance will be best if attached through a SAN. . to the network. Stand-alone Disk Subsystem This solution is an external array of disks that includes a power supply and processing chips. and better utilization because all servers will have access to the same bank of storage.3 DESIGNING FOR FAULT TOLERANCE 423 and RAID software on the computer. This means that performance is better than operating system RAID. backup. Hardware RAID on the Motherboard Some motherboards include a RAID processor and drive interfaces on board. so performance will be optimized. Another benefit is that the RAID processing is completely isolated from the rest of the computer. Disk subsystems are available that can attach to a computer. meaning that the drives are attached directly to a single server. Let’s take a closer look at SANs. Figure 11-17 shows a SAN configuration. It also offers better performance because the RAID processing is off-loaded to the RAID processor. but not as good as a pure hardware option. 11. This option is moderately inexpensive and offers RAID protection during the boot process. This solution offers all the benefits of RAID-on-Chip. but the computer’s processor is still involved in the RAID processing. but also can be swapped to a different computer if necessary. The primary drawback to hardware RAID on the motherboard is that it is on the motherboard and cannot be migrated to a different computer if the motherboard fails. or through a storage area network (SAN). Another potential problem is that the RAID drivers can be affected by viruses. Hardware RAID on a Controller Card The most effective (and most expensive) option is to buy a dedicated RAID controller card.5 Storage Area Networks (SANs) So far we have spoken of RAID in terms of direct attached storage (DAS). A solution that offers fault tolerance and better scalability than direct attached RAID is a storage area network (SAN).

iSCSI supports the SCSI (small computer system interface) protocol over a TCP/IP network. A SAN device can connect to the servers using one of two interfaces: 1. you are connecting it to your existing Ethernet network. With Gigabit Ethernet. A fibre channel network offers high speed data transfer (up to 4Gbps). It is less expensive to implement than fibre channel because it does not require specialized switches or expertise. iSCSI When you connect a SAN device using iSCSI. Its primary drawback is the requirement for specialized equipment and expertise. It transmission distance is limited only by the size of the network. 2. . iSCSI: A connection protocol that utilizes TCP/IP over Ethernet.424 DISASTER RECOVERY AND FAULT TOLERANCE Figure 11-17 Server SAN device SAN Using Fibre channel or iSCSI Server Server Storage area network (SAN). Let’s look at the benefits and drawbacks of each. Fibre Channel A fibre channel is a standards-based high-speed protocol suite that can be implemented over copper wire or fiber optic cable. Storage devices and computers are connected to the network using fibre channel switches. iSCSI can offer up to 1Gbps transmission rates. Another drawback is that it can only support a range of 10 kilometers (km). Fibre Channel: A high-speed infrastructure of switches that can be used to connect the SANs and the servers.

host name. Clients can be configured with both a primary and a secondary DNS server address. multiple servers use the same public name and IP address. A passive node is one that is inactive until a server configured as an active node fails.6 Designing a Failover Solution Now that you have determined a strategy for redundant data storage. Domain controllers can be located using SRV records on a DNS server. For example.11. Depending on a server’s role. It can also provide protection against some types of attacks. If that server goes down. you can provide redundancy simply by including multiple servers that perform the same role on the network or you can implement clustering to configure failover between two or more servers that perform the same role. In this case. Another example is providing multiple Dynamic Host Configuration Protocol (DHCP) servers. these servers are attached to two networks: one in which they are seen as the same computer and a private network in which they can address each other as individuals. One reason for this is that clients or applications are configured to access the server using its name or IP address. In a server cluster (see Figure 11-18). In actuality. adding automatic fault tolerance. the application will not be able to automatically start using a different database server. Consider the example of a database server. A server cluster can consist of two types of nodes: active nodes and passive nodes. An active node is one that participates in handling service requests. Windows Server 2003 supports up to eight nodes. Instead. data is not synchronized between them. An example of the first option is providing multiple domain controllers or DNS servers. The number of nodes supported and the configuration supported depend on the operating system. let’s look at how to ensure redundancy for another resource on your network: the servers. The reason DHCP can automatically failover is that DHCP server discovery is achieved through broadcasts. One thing to keep in mind is that a server cluster will not protect against . Some companies are creating server clusters that span multiple geographic locations to provide failover in the event of a natural disaster or local catastrophe. Clustering is a process by which multiple servers share the same role. The database applications are configured to look for a specific server name on the network. The other DHCP server can assume its role until the compromised server is replaced. and IP address on a network. Data is synchronized between them using replication or zone transfer. A server cluster can use direct-attached storage or can connect to storage through a SAN.3 DESIGNING FOR FAULT TOLERANCE 425 11. only that server needs to be taken offline. This method of providing redundancy is effective where it can be used because it allows for all servers to share the load between them when all are operational. For example.3. if one DHCP server is the target of a denial-of-service attack. you must configure non-overlapping scopes on each DHCP server. There are some server roles that cannot provide automatic failover simply by placing an additional server in that role on the network.

Busicorp plans to implement an active-active server cluster to allow failover if one of the database servers fails.168. Busicorp decides it needs to change the configuration so that it can recover more quickly. there is no additional money in the budget. their system has enough capacity that they can implement RAID 5 without purchasing another hard disk.20 192. so it decides to reconfigure the hard disks to use software RAID 5. Several customers were very angry.20. Busicorp will implement the SAN using iSCSI so that it can utilize their current network infrastructure. The server cluster will utilize the SAN. . All data is currently stored on a single database server. FOR EXAMPLE Eliminating Single Points of Failure—A Phased Approach The web applications Busicorp hosts for customers use a database server. Busicorp currently performs a full backup of each database server nightly and transaction log backups hourly. Fortunately.168.10. Busicorp plans to purchase a SAN device that provides at least RAID 5 protection. When the customer traffic warrants an additional database server.168.20.21 Database 1 Public IP address 192. The customers with data stored on that database were unable to access their data for a four-hour period while the data was being restored.10. One of the database server’s hard disks fails.426 DISASTER RECOVERY AND FAULT TOLERANCE Figure 11-18 Private network 192.20 Public network Client Client Server cluster. As its customer base grows.168. Currently.20 Database 1 Public IP address 192. The customer databases are stored on three internal hard disks.

you learned how to develop plans that will help you recover network functionality in the event of a security incident. natural disaster. SUMMARY In this chapter. or other catastrophe. You also learned about the factors you must consider when creating a backup strategy. 3. and server clustering. SANs. Compare an active node and a passive node. hardware failure. SELF-CHECK 1. depending on the nature of the attack. The chapter concluded with a look at implementing fault tolerance. recovery planning. You examined guidelines for business continuity planning. 2. Describe the protection offered by each RAID level. including disk fault tolerance using RAID. In fact. and security incident response planning. Therefore. KEY TERMS 24ϫ7 availability Active node Backup site Business continuity plan Business continuity planning committee Business impact assessment Checklist review Clustering Cold site Communication procedure Computer Security Incident Response Plan (CSIRP) Computer Security Incident Response Team (CSIRT) Determinate chain of notification Differential backup Direct attached storage (DAS) Disaster recovery plan Disk mirroring Disk striping Evacuation drill . it is essential to have an offline server that you can quickly use to replace a compromised server if a security incident occurs.KEY TERMS 427 all types of attacks. Compare fibre channel and iSCSI. all nodes in the cluster might be compromised.

428 DISASTER RECOVERY AND FAULT TOLERANCE Failover Fault tolerant solution Fibre channel Full backup Full-interruption test Full-scale exercise Functional drill Ghost Hardware-assisted software RAID Host bus adapter (HBA) Hot site Hot space Hot spare Image Incremental backup iSCSI Mobile backup Mondoarchive Multiple centers Mutual aid agreement ntbackup Off-site backup Parallel test Parity stripe Passive node Qualitative loss criteria Quantitative loss criteria RAID 50 RAID 5 RAID 5EE RAID-on-Chip technology RAID 1 RAID 1E RAID 6 RAID 60 RAID 10 RAID 0 RAID 0؉1 Recovery team Redundant Redundant Array of Independent Disks (RAID) Rolling backup Salvage team Scope and plan initiation phase Service bureau Service Level Agreement (SLA) Shadow copy Simulation test Single point of failure Storage area network (SAN) Store and forward server Striped mirror Striped RAID 5 arrays Striped RAID 1 arrays Striped RAID 6 arrays Striping with dual parity Striping with parity Structured walk-through test System state backup Tabletop exercise Tail-log backup Transactional data Transaction log Transaction log backup Volume shadow copy Vulnerability assessment Walk-through drill Warm site Windows Backup .



Go to to assess your knowledge of disaster recovery and fault tolerance. Measure your learning by comparing pre-test and post-test results.

Summary Questions
1. A business impact assessment should be part of a disaster recovery plan. True or False? 2. A business continuity planning committee should include representatives from which of the following? (a) senior management and information systems only (b) senior management, all functional units, information systems, and security administration (c) information systems and security administration only (d) senior management and security administration only 3. Which type of backup site can allow you to get critical systems online the fastest if a disaster occurs? (a) cold site (b) hot site (c) warm site 4. Which type of disaster recovery test could result in an actual disaster if not performed correctly? (a) full-interruption test (b) functional drill (c) parallel test (d) full-scale exercise 5. A CSIRP is used only in the event of a security incident. True or Fase? 6. Which step should be performed AFTER you isolate the compromised system? (a) analyze the incident (b) declare the incident (c) reformat the compromised system (d) prevent reoccurrence of the problem 7. What backup strategy will require you to restore at most two backups during recovery? (a) full backup with incremental backups (b) full backup with transaction log backups (c) full backup with differential backups



8. On a computer running Windows Vista, shadow copy is the only backup necessary. True or False? 9. Which RAID level allows you to recover from the failure of any two disks? (a) RAID 10 (b) RAID 6 (c) RAID 50 (d) RAID 5EE 10. An iSCSI SAN can be created using the existing TCP/IP network infrastructure. True or False? 11. A server cluster can only be implemented by servers at the same geographic location. True or false?

Applying This Chapter
1. You have been hired by a company to evaluate their network and procedures and to help them prepare for a security incident or natural disaster. The servers on the company’s network are shown in Figure 11-19. (a) What information will you need to gather to create a business continuity plan? (b) Why is a business impact assessment important? (c) When will the disaster recovery plan be used?
Figure 11-19

Domain controller DNS server

DHCP server

Accounting Database server

Production file server

Domain controller

Marketing file server

Orders And Shipping Database server

Servers on the network.



(d) Which type of test would you perform to allow response teams to perform their functions without actually initiating recovery procedures? (e) How would a person know who to contact if a security incident is suspected? (f) Why would you isolate a compromised server and replace it with a different server? (g) What information do you need to gather before you can create a backup policy? (h) On which servers could you perform a transaction log backup? (i) Which services represent a single point of failure for network operations? (j) During the business impact analysis, it is determined that the resource that must be restored the soonest is the OrdersAndShipping database. What is the advantage of implementing a RAID 1 solution? (k) What is the disadvantage to implementing a RAID 1 solution? (l) Why are backups still important even if you implement a RAID 1 solution? (m) You find that disk space on the OrdersAndShipping database server is at 80% utilization, while disk space on the Accounting database server is at 30% utilization. How could a SAN help provide better storage utilization? (n) What protection would be offered by implementing server clustering on the OrdersAndShipping database server? (o) How could you eliminate the DNS server as a single point of failure?


Creating Policies
You learned about several different policies you should create to prepare for the worst. Consider the company where you work and answer these questions: 1. Does your company have a business continuity plan in place? 2. Does your company have a disaster recovery plan in place? 3. Have you ever been involved in a disaster recovery plan test? If so, describe your experience. 4. Does your company have a CSIRP in place? 5. What divisions should be included on your company’s CSIRT team? 6. Why is it important to conduct a post-incident evaluation?

1. If the hard disk fails at 7 p.m. on Thursday night, how much data will be lost? 2. How long will the server take to restore? 3. Why would differential backups be a better solution? 4. How could you change the backup plan to meet the company’s requirements. 5. What is the best way to allow for fast recovery if the server’s processor fails? 6. What type of incident would your solution to step 5 not protect against?

Evaluating RAID Solutions
Consider the following RAID configurations and identify the storage capacity available and the protection offered. 1. Three 20GB hard disks configured in a RAID 5 array. 2. Five 40GB hard disks configured in a RAID 5EE array. 3. Five 20GB hard disks configured in a RAID 6 array. 4. Eight 40GB hard disks configured in a RAID 60 configuration.

Creating a Backup Strategy
FS1 contains files that are critical to business operations. The files change by 20% on a daily basis. Most of these changes affect the same files. The company can afford to lose only 8 hours worth of changes to the files. A full backup takes 2 hours to complete and the same amount of time to restore. The company operates around-the-clock. The company’s current backup plan calls for a full backup every Friday at 8 p.m. and incremental backups every other night at 8 p.m.


Starting Point
Go to to assess your knowledge of intrusion detection and forensics. Determine where you need to concentrate your effort.

What You’ll Learn in This Chapter
▲ ▲ ▲ ▲ Intrusion detection systems Intrusion protection systems Honeypots Collection and preservation of evidence

After Studying This Chapter, You’ll Be Able To
▲ ▲ ▲ ▲ ▲ ▲ Describe the role of an intrusion detection system Describe the role of an intrusion protection system Describe the role of a honeypot Explain the importance of proper handling of evidence List the steps you should take to prepare a drive for a forensics investigation Identify the types of information you must gather before shutting down the computer ▲ Describe techniques for locating evidence on a hard drive



Even with prevention mechanisms in place, at some point an attack will occur. The more time that elapses between the start of an attack and the time you realize that an intrusion has occurred, the more damage the hacker will do. Therefore, it is essential that you have systems in place to alert you to a possible attack. In addition, if an attack does occur, you need to be able to analyze how the attack occurred and document evidence of the attack. Only by understanding the nature of the attack can you build defenses against it occurring in the future. Also, if you decide to prosecute the attacker, you will need to preserve a chain of evidence that will be admissible in court. This chapter looks at mechanisms for detecting an intrusion. Then it examines the purpose of a honeypot. Finally, the chapter looks at some forensics procedures.

12.1 Intrusion Detection
Intrusion detection encompasses a variety of categories and techniques. The primary approaches involve determining if a system has been infected by viruses or other malicious code and applying methods for spotting an intrusion in the network by an attacker. This chapter focuses on detecting an intrusion on the network. To this end, the next sections discuss different types of intrusion detection systems and intrusion protection systems.
12.1.1 Intrusion Detection and Response

Intrusion detection (ID) is the task of monitoring systems for evidence of intrusions or inappropriate usage. The response to a detected intrusion is defined in a Computer Security Incident Response Policy (CSIRP) and includes notifying the appropriate parties, determining the extent of the severity of an incident, and recovering from the incident’s effects.
12.1.2 Intrusion Detection Systems

An intrusion detection system (IDS) is a system that monitors network traffic or audit logs to determine whether any violations of an organization’s security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a firewall or that are occurring within the local area network (LAN) behind the firewall. Various types of IDSs exist. The most common approaches to ID are statistical anomaly (also known as behavior-based) detection and signature-based (also known as knowledge-based or pattern-matching) detection. Intrusion



detection systems that operate on a specific host and detect malicious activity on that host only are called host-based IDS (HID). ID systems that operate on network segments and analyze that segment’s traffic are called networkbased IDS (NIDS). Because there are pros and cons of each, an effective ID strategy should use a combination of both network- and host-based IDSs. A truly effective IDS will detect common attacks, including distributed attacks, as they occur. Let’s look first at the two approaches to ID. Next we’ll examine the difference between host-based and network-based IDSs.
Signature-based IDSs

In a signature-based IDS or knowledge-based IDS, signatures or attributes that characterize an attack are stored for reference. Then, when data about events is acquired from audit logs or from network packet monitoring, this data is compared with the attack signature database. If there is a match, a response is initiated. This is a similar approach to that used by antivirus applications. This method is more common than using behavior-based IDSs. Signaturebased IDSs are characterized by low false alarm rates (or false positives) and, generally, are standardized and understandable by security personnel. A weakness of the signature-based IDS approach is the failure to characterize slow attacks that extend over a long period of time. To identify these types of attacks, large amounts of information must be held for extended time periods. Another issue with signature-based IDSs is that it can only detect an intrusion if its attack signature is stored in the database. Additional disadvantages of signature-based IDSs include the following: ▲ The IDS is resource-intensive. The knowledge database continually needs maintenance and updating with new vulnerabilities and environments to remain accurate. ▲ Because knowledge about attacks is very focused (dependent on the operating system, version, platform, and application), new, unique, or original attacks often go unnoticed.
Statistical Anomaly-based IDSs

Statistical anomaly IDSs or behavior-based IDSs dynamically compare usage patterns with learned patterns of “normal” user behavior and trigger an alarm when a deviation occurs. With this method, an IDS acquires data and defines a “normal” usage profile for the network or host that is being monitored. This characterization is accomplished by taking statistical samples of the system over a period of normal use. Typical characterization information used to establish a normal profile includes memory usage, CPU utilization, and network packet types. With this approach,



new attacks can be detected because they produce abnormal system statistics. The advantages of a behavior-based IDS include the following: ▲ The system can dynamically adapt to new, unique, or original vulnerabilities. ▲ A behavior-based IDS is not as dependent upon specific operating systems as a knowledge-based IDS. ▲ The system can help detect abuse-of-privileges types of attacks that do not actually involve exploiting any security vulnerability. Some disadvantages of a statistical anomaly IDS are that it will not detect an attack that does not significantly change the system-operating characteristics, and it might falsely detect a nonattack event that caused a momentary anomaly in the system. Also, behavior-based IDSs are characterized by the following: ▲ High false alarm rates. High false positives are the most common failure of behavior-based ID systems and can create data noise that can make the system unusable or difficult to use. ▲ Activity and behavior of the users of a networked system might not be consistent enough to effectively implement a behavior-based ID system. ▲ The network might experience an attack at the same time the intrusion detection system is learning the behavior.
Network-based IDSs

Network-based IDSs (NIDSs) reside on a discrete network segment and monitor the traffic on that segment. They are usually implemented as a network appliance with a network interface card (NIC) that is operating in promiscuous mode (a mode in which it can see all other packets on the network) and is intercepting and analyzing the network packets in real time. A network-based IDS involves looking at the packets on the network as they pass by a sensor. The sensor can only see the packets that happen to be carried on that particular network segment. Network traffic on other segments and traffic on other communication media (such as phone lines) can’t be monitored properly by a network-based IDS. Packets are identified to be of interest if they match a signature. Three primary types of signatures are as follows: 1. String signatures: String signatures look for a text string that indicates a possible attack. 2. Port signatures: Port signatures watch for connection attempts to wellknown, frequently attacked ports. 3. Header condition signatures: Header condition signatures watch for dangerous or illogical combinations in packet headers.



An NIDS usually provides reliable, real-time information without consuming network or host resources. An NIDS is passive when acquiring data and reviewing packets and headers. It can also detect denial-of-service (DoS) attacks. One problem with an NIDS system is that it will not detect attacks against a host made by an intruder who is logged in at the host’s terminal. Implementing an NIDS in a switched environment poses challenges. This issue arises from the basic differences between standard hubs and switches. Hubs exclude only the port the packet came in on and echo every packet to every port on the hub. Therefore, in networks employing only hubs, NIDS sensors can be placed almost anywhere in the infrastructure. However, when a packet comes into a switch, a temporary connection in the switch is first made to the destination port, and then the packets are forwarded. This means more care must be exerted when placing IDS sensors in a switched environment to ensure the sensor is able to see all of the network traffic. Some switches permit spanning port configuration, which configures the switch to behave like a hub only for a specific port. The switch can be configured to span the data from a specific port to the IDS port. Unfortunately, some switches cannot be guaranteed to pass all the traffic to the spanned port, and most switches only allow one port to be spanned at a time. Another option is to use an inline NIDS. An inline NIDS acts like a bridge between a router and a switch or between two switches, as shown in Figure 12-1. The network adapter used to perform monitoring is generally not assigned an IP address so that it cannot be the direct recipient of traffic. Most NIDSs will include a separate network adapter as a management interface.
Host-based IDSs

Host-based IDSs (HIDS) use small programs (intelligent agents) that reside on a host computer. They monitor the operating system detecting inappropriate activity, writing to log files, and triggering alarms. Host-based systems look for activity only on the host computer; they do not monitor the entire network segment.
Figure 12-1




Internet Router Firewall

NIDS sensor

Switch Computer

Inline NIDS.



An HIDS can review the system and event logs to detect an attack on the host and to determine whether the attack was successful. Detection capabilities of an HIDS are limited by the incompleteness of most audit log capabilities. In particular, HIDSs have the following characteristics: ▲ They monitor access and changes to critical system files and changes in user privileges. ▲ They detect trusted insider attacks better than an NIDS. ▲ They are relatively effective at detecting attacks from the outside. ▲ They can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine, including dial-in attempts or other non–network-related communication ports.
12.1.3 IDS Issues

Many issues limit the effective use of an IDS. These include the following: ▲ The use of more complex, subtle, and new attack scenarios. ▲ The use of encrypted messages to transport malicious information. ▲ The need to interoperate and correlate data across infrastructures with diverse technologies and policies. ▲ Ever-increasing network traffic. ▲ Attacks on the IDSs themselves.

The IDS that Cried Wolf An IDS is only useful if someone monitors the logs. However, if the logs include a large number of false positives, the job can be tedious and actual attempts at an attack can be missed. Many signature-based sensors are configured with all signatures enabled. Although this might be appropriate in some environments, consider the case where you are running an application that generates traffic similar to one of the signatures. A large number of entries are added to the log file. The administrator responsible for reviewing the log file soon tires of looking at false positives and stops reviewing the log. An attack occurs and the IDS logs the traffic as suspicious. Unfortunately, because of all the false positives, no one reviews the log and the attack goes unnoticed until customers complain that they can’t access the application server.



▲ Unacceptably high levels of false positives and false negatives, making it difficult to determine true positives. ▲ The lack of objective IDS evaluation and test information. ▲ The fact that most computing infrastructures are not designed to operate securely. An issue with the implementation of intrusion detection systems is the performance of the IDS when the network bandwidth begins to reach saturation levels. Obviously, there is a limit to the number of packets that a network intrusion detection sensor can accurately analyze in any given time period. The higher the network traffic level and the more complex the analysis, the more the IDS might experience high error rates, such as prematurely discarding copied network packets.
12.1.4 Intrusion Prevention Systems (IPS)

An intrusion prevention system (IPS) is similar to an IDS, except that it not only detects and logs suspected intrusion attempts, it also attempts to prevent them. An IPS can be host-based or network-based. It can use attack signatures or anomalies as the basis for blocking traffic. One potential drawback to an IPS is that false positives will prevent legitimate network traffic.

1. Compare a signature-based IDS with an anomaly-based IDS. 2. Compare an NID and an HID.

12.2 Honeypots
A different approach to intrusion detection and response is the use of a honeypot. A honeypot is a monitored decoy mechanism that is used to entice a hacker away from valuable network resources and provide an early indication of an attack. It also provides for detailed examination of an attacker’s methods during and following a honeypot exploitation. Honeypots can be employed for either research or production purposes. In the research mode, a honeypot collects information on new and emerging threats, attack trends, and motivations, and, essentially, characterizes the attacker community. When applied on a production network, honeypots are used for preventing attacks, detecting attacks, and responding to attacks.

When a honeypot is located on the internal network. Honeypots have the following advantages in detecting attacks: ▲ The ability to capture new and unknown attacks.440 INTRUSION DETECTION AND FORENSICS 12. Responding to an attack on a production network is challenging and not always effective.1 Preventing. while the attack is detected. Secondly. analyzed. ▲ Reduction in the amount of data that has to be analyzed by capturing only attack information.2. and Responding to Attacks Honeypots are effective in preventing attacks by doing the following: ▲ Slowing or impeding port scanning by detecting scanning activity. and handled. ▲ Consuming an attacker’s energy through interaction with a honeypot. because they do not handle legitimate user traffic. There are constraints that hamper the response process. it Figure 12-2 Web Server Firewall Firewall Switch Server Server Honeypot Honeypot on the internal network. ▲ Deterring an attack by a cracker who suspects that a network employs honeypots and is concerned about getting caught. Honeypots provide a way to detect an attack that is taking place or has occurred. so the data can be reviewed more efficiently and a response can be implemented in a shorter time period. such as not being able to take a critical application offline to analyze the attack and having to sort through myriads of IDS data. Honeypots offer solutions to these problems because a honeypot does not perform a business-related function and can be taken offline to analyze data and prepare a response. Server Server . honeypots generate small amounts of data that are the direct result of an attack. as shown in Figure 12-2. One way to use a honeypot is to position it on your internal network. Detecting.

However. Thus.2 Honeypot Categories In general. such as a worm. it also reduces the risk of an attacker compromising the honeypot to launch an attack on other network Figure 12-3 Web Server Switch Firewall Firewall Server Server Honeypot Honeypot Honeypot on the perimeter network. in a production environment.12. an attacker’s actions are limited by the low level of emulation that the honeypot provides. Low-interaction Honeypots A low-interaction honeypot supports a limited emulation of an operating system and system services. interaction refers to the level of activity provided by the honeypot to the attacker. the more information you will gather.2 HONEYPOTS 441 can log traffic that warns of malicious software running on the network. there are two types of honeypots: low-interaction honeypots and high-interaction honeypots. Attack traffic logged on a honeypot located on the internal network might also indicate that your perimeter defenses are insufficient. 12. In this context. consider that some of the information will not be useful if you already have defenses set up to protect against those types of attacks. The less protected the honeypot is.2. Therefore. as shown in Figure 12-3. Because the honeypot has minimal capabilities. Another configuration is to place the honeypot on the perimeter network. This strategy allows you to examine the types of attacks that can breach the firewall between the Internet and your perimeter network and can give you forewarning about attacks that might target your resources on your internal network as well. An obvious advantage of this type of honeypot is its lack of complexity and ease of deployment. you would not be likely to put a honeypot directly on the Internet. Server Server .

It captures information such as passwords. However. Honeyd 0. It intercepts connections and pretends to be a system service or operating system. High-interaction Honeypots High-interaction honeypots are more complex than low-interaction honeypots in that they provide for more complex interactions with attackers by incorporating actual operating systems and services. and attack targets. a high-interaction honeypot is susceptible to compromise and being used as a base to launch an attack against other network components. and Windows® operating systems. characteristics. But. It checks connections to TCP and UDP ports. Also. An example of this type of honeypot is the Symantec™ Decoy Server. 12. 3.442 INTRUSION DETECTION AND FORENSICS resources. Linux.8 was released under the GNU General Public License (GNU GPL) in January of 2004. An example of a low-interaction honeypot is Honeyd. It logs attacker’s interaction with the service or operating system emulated by the honeypot. . in that its limited interaction makes it easier for an attacker to determine that he or she is engaged with a honeypot. because it runs actual operating systems and services. the simplicity of a low-interaction honeypot is its primary weakness. intentions. The research type of honeypot has high levels of interaction with an attacker and performs the following functions: ▲ Through a honeynet. 4.3 When to Use a Honeypot As discussed earlier in this chapter. a honeypot is used in either a research or production mode. command instructions. Honeyd is an opensource honeypot developed by Niels Provos. You can configure it to simulate a specific operating system and to emulate common services. Honeyd is a daemon that can run on Unix®. It monitors connection attempts to unused IP space (unassigned addresses in the subnet). This type of honeypot can capture a large amount of information about an attacker and his or her behavior. with version 1. Honeyd updates are available regularly. it captures information on the behaviors. 2. including Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP). and identities of attackers. 5. A honeynet is a controlled network of high-interaction honeypots that are intended to be targets of attacks. a high-interaction honeypot requires additional resources for deployment and maintenance.5 released in August of 2006.2. Honeyd operates in the following fashion: 1.

Some of the legal concerns are as follows: ▲ The liability of your organization if your honeypot is used to attack another organization’s network. Monitor the attack in real time. Greece. .2 HONEYPOTS 443 ▲ It provides information on the activities of specific organizations and associated threats. the Honeynet Research Alliance was formed to include a larger number of contributors. and Ireland. Isolate the attacker from the remainder of the network. gathering information on. During the first two years. FOR EXAMPLE Honeynet Project The Honeynet Project was established in 1999 as a network security research activity using honeynets and honeypots to explore and discover an attacker’s behaviors. tools. including researchers from India. Brazil. ▲ The possibility that an attacker apprehended through the use of a honeypot will claim entrapment. motives. ▲ Relevant laws of different jurisdictions outside of the United States. ▲ Privacy rights of individuals being monitored on your network.2. and to apply the lessons acquired from this effort.4 Legal Considerations Deploying a honeypot requires careful consideration of the legal issues involved with monitoring. the Honeynet research group was limited to 30 members. ▲ It gathers data on attacks occurring globally (distributed research honeypots). More information about the Honeynet Project is available at www. and approaches. Indicate that an attack is occurring. In 2002. Mexico. Acquire information about the attacker. 12. a production honeypot can do the following: ▲ ▲ ▲ ▲ ▲ Determine how an attacker gained access to the network. A production honeypot is designed to emulate an actual operating system and services on a computer system for the express purposes of identifying vulnerabilities and acquiring information that can be used to detect and apprehend attackers. Specifically.honeynet. The team members volunteer their time and contribute hardware and software to the and prosecuting an individual based on the use of a honeypot.12.

A private individual who is not acting as an agent of the U. government is not bound by the Fourth Amendment and can deploy a honeypot. 2. evidence might include the following: ▲ A hardware device. router. A detailed discussion of forensic practices would require a book of its own. this section introduces some key concepts that will help you secure the evidence you need—or at least not damage it before the forensic expert your company hires arrives. When your network or a computer on your network is attacked. However. evidence can take several forms. your first thought will probably be how to keep the critical business processes running. evidence obtained by an agent of the U.1 Understanding Evidence Evidence is information presented in court that attempts to prove a crime was committed. when dealing with an attack that might require criminal prosecution. Another legal consideration is the 1968 Federal Wiretap Act.444 INTRUSION DETECTION AND FORENSICS Deployment and use of honeypots without an understanding of the national. This section will not make you an expert in forensics. Forensics is the science of gathering and preserving evidence. you need to take a step back and think about the evidence you will need to prosecute and how you can obtain it so that it is admissible in court. The types of activities for which wiretaps can be authorized were increased by the United States Patriot Act.S. government can be in violation of the Fourth Amendment of the U.S. SELF-CHECK 1.3.3 Forensics When an intrusion occurs. such as a computer. or hard drive. To do this. This type of evidence is known as physical evidence or real evidence. What are the legal issues involved with using a honeypot? 12. government or a private individual acting at the behest of an agent of the U.S.S. . state. 12. However. you need to know about forensics. Describe the role of a honeypot. For example. This Act was expanded in 1986 and establishes procedures for court authorization of real-time surveillance of electronic communications. that individual is still bound by state and federal privacy laws that might be applicable to monitoring a person’s communications. Constitution. which is sometimes referred to as Title III. and local laws can lead to civil and criminal penalties for violating an individual’s privacy rights through illegal monitoring of his or her activities. Instead. For example.

Special forensics tools are available for gathering data. Files on a hard disk. This information is known as volatile data. Some information about what is happening on a computer is lost when you shut down (or unplug) the computer.3 FORENSICS 445 ▲ ▲ ▲ ▲ Log files. you will want to be extremely careful not to modify the system or write the data to the hard disk. you might need to document the current state of the system. However. A discussion of specific tools is beyond the scope of this chapter. Captures of a computer’s state. the person performing the action. Evidence should be stored in a secure location to protect it from tampering. One of the challenges you will face is that computer data is easy to modify. Therefore. and the date and time the item was returned to storage. . These precautions include the following: ▲ Preventing bits on the hard disk from being changed. One way to gather data is to write it to a USB drive. A chain of custody provides detailed documentation of every action performed on a piece of evidence. Information you might need to gather from a live system include the following: ▲ Listening ports ▲ Network connections ▲ Running applications When gathering this information.12. ▲ Avoiding environmental or power-related damage to the physical device. including the date and time the item was removed from storage. Data retrieved from a computer that provide documentation of what occurred is known as documentary evidence. Another critical step you must take is to create a chain of custody for each item that might be considered evidence.3. 12. Guidelines for the types of evidence you should collect are available in RFC 3227. a detailed description of the action. You need to take the necessary precautions when handling compromised computers to avoid making the data inadmissible in court. you need to be sure you can prove that the evidence was not planted on the computer.2 Gathering Evidence on a Live System Depending on the nature of the attack. Database files. certain operating system utilities can be used to gather important information— we’ll look at those.

you would run Netstat -a >e:\netstat. and whether the connection is listening or established. To save the output to a file instead of displaying it on the screen.446 INTRUSION DETECTION AND FORENSICS Viewing Information about Listening Ports and Network Connections You can view information about listening ports and established network connections by using the Netstat –a command-line utility. the local address. the foreign address.txt Figure 12-4 Netstat -a. to save the output to a file named “netstat. . including the port. An example of running Netstat –a is shown in Figure 12-4. including the port. It displays the protocol. you would execute the following: Netstat -a > path For example.txt” on the USB drive referenced by E:.

For example. On a Windows computer. The tasklist command-line utility allows you to output a list of processes running on the computer. Another drawback is that Task Manager lists several instances of svchost.12.txt Figure 12-5 Task Manager. as shown in Figure 12-6. Use the /svc option to identify each service running within a process. Task Manager allows you to view the processes running on the computer. . However. you can use the > operator to cause the output to be stored to disk. That is because a number of services run under the context of the svchost. These services could include malware.exe.exe application. to save the output to a file named “tasklist. it does not allow you to save the data to a file. As with Netstat. you would execute Tasklist /svc >e:\tasklist. as shown in Figure 12-5.txt” on drive E.3 FORENSICS 447 Viewing Information about Running Applications You should also save information about the applications running on the computer.

Create a checksum or Message-Digest algorithm 5 (MD5) hash of the drive. you will need to be able to prove that the data on the hard disk was not modified.3. You will use this hash to compare against a disk image you create to ensure that the data has not been changed.3 Preparing a Hard Drive Image If you are going to present any portion of the contents of a hard disk as evidence in a trial. 12. you need to take the following steps before examining a hard drive’s contents: 1. . To do so.448 INTRUSION DETECTION AND FORENSICS Figure 12-6 Tasklist /svc.

they work by preventing write operations from occurring. can be used to sanitize the destination disk. Create a checksum or MD5 hash of the image. When you select a tool. You must ensure that there are no remnants left of the data it previously contained. You need special tools to create a bitstream image.12. You should investigate the forensic tools you plan to use to make sure they are accepted by the governing bodies in the locales where you are planning to present the evidence in court. One popular tool is the dd utility included with many Linux and Unix distributions. In either case. Ghost does not perform a bitstream copy of the disk. A Windows version is also available. 3. The National Institute of Standards and Technology (NIST) tests forensic tools and publishes the results of those tests on its website. it is more likely to be accepted as credible by the judge and jury. If at any point the checksums do not match. it is not the right tool for creating a disk image to be used for a forensic investigation. “00001111” would be written on the first pass and “11110000” would be written on the second pass. when you try to compare hash values. they are likely to be different. and make the bitstream copy. You can purchase software write blockers or hardware write blockers. the defense might be able to use that fact to invalidate your evidence. meaning that the checksum or MD5 hash of the image will be identical to that of the drive. create the hash. Therefore. such as WinHex by X-Ways Forensics. For example. you will need to repeat steps 2 and 3 before proceeding. Create a bitstream image of the drive. One way to ensure that you don’t change the image inadvertently is to use a write blocker. A bitstream image copies each bit on the drive exactly. you need to verify that it has been validated for use in forensics. The United States Department of Defense guidelines for sanitizing a disk are to write a specific value to each byte on the first pass and write its complement value on the second pass.3 FORENSICS 449 2. Some tools. Make sure the tool you use to create the image is forensically sound. If it hasn’t been. You will periodically create a new hash of the image to verify that nothing has changed. Another point to keep in mind is that the destination disk for the image must be sanitized. . FOR EXAMPLE Choosing the Right Tool for the Right Job Although Symantec’s Ghost™ is a popular tool among network administrators. Sanitizing a disk is more than just deleting the data from it or formatting it. A number of different tools are available that allow you to prepare a hard drive image. If a tool has been used in other cases and you have documentation to that effect.

which would require you to create a new image because the checksum would have changed. In this section. provided the Figure 12-7 Security log.3. shown in Figure 12-7. we’ll look at some of the standard places you can find data using operating system features. shows security events that have occurred. You should use a write blocker to ensure that you do not modify the data on the image. A good place to start looking for information about the potential attack is to examine the log files on the computer. Log Files Operating systems store information about events in log files. the same basic concepts apply regardless of the operating system the compromised computer is running. The Windows Security log.450 INTRUSION DETECTION AND FORENSICS 12.4 Searching for Data on a Hard Drive After you have created a bitstream image of the drive. However. . you can mount the image using a write blocker and begin to search for data. These include the following: ▲ ▲ ▲ ▲ ▲ ▲ Log files Hidden files Temporary Internet files Temporary application files Deleted files Email The specific examples we give will be mostly Windows examples. as do some applications and services.

Or they might set the Hidden attribute on a Windows file or folder. They might do so by changing the name or file extension of a file so that it looks like something benign. By default. Consult the application’s documentation for information about where to locate these log files. . one example is DNS Server. Other log files can be viewed through Event Viewer. some applications create their own log files. Hidden Files Users might try to hide their tracks by hiding malicious files. Other applications create log files that cannot be read by Event Viewer. The Application log is a log file used by a number of applications. You might also check the directory where the application is installed. Also.12. as shown in Figure 12-8.3 FORENSICS 451 system is configured to log those events. A more advanced tactic might be to also set the System attribute on a file. Windows does not display files with the System attribute set to Figure 12-8 Hidden attribute.

execute ls -a Temporary Internet Files Another possible place to look. Figure 12-10 shows some temporary files stored by Internet Explorer®. “True.” You can change this behavior and cause Windows to display hidden files through Folder Options. or if you suspect an employee is downloading harmful content..) as the first three characters of the filename.452 INTRUSION DETECTION AND FORENSICS Figure 12-9 Showing hidden and system files. A number of websites download temporary files to a user’s hard disk to allow a web page to load more quickly on subsequent requests or to maintain data between requests using cookies.. as shown in Figure 12-9: On a computer running Linux or Unix. you can create a hidden directory by using three periods (. is the Temporary Internet Files cache. especially when examining a computer from which you suspect an attack was launched. To view hidden files on a Unix or Linux computer. You can create a hidden file by starting the filename with a period. .

Temporary Files Another type of temporary file is that created by some applications.3 FORENSICS 453 Figure 12-10 Temporary Internet Files. Although applications sometimes delete the temporary files they create. Figure 12-11 shows some temporary files left behind by Microsoft® Word while writing this book. Deleted Files When a user deletes a file. such as Word processing applications. a deleted file will be moved to the Recycle Bin. The path to the temporary files will be different depending on the browser. On a Windows computer. the first character in a temporary file name is a tilde (~). is it gone? The answer is no. . For example.12. some do not. On a Windows computer. Internet Explorer stores temporary files at My Documents\Local Settings\Temporary Internet Files. as shown in Figure 12-12. These files might contain valuable information.

. Figure 12-12 Recycle Bin.454 INTRUSION DETECTION AND FORENSICS Figure 12-11 Temporary application files.

You can use the net share command. Until those bits of the hard disk are overwritten with other data. even when the Recycle Bin is emptied. Email If the attack was based on malware distributed through email. some (or all) of the file contents will be available. Figure 12-14 shows the email header displayed using Microsoft Outlook® 2003. Sometimes a file will not take an entire cluster. When a file is deleted. deleted files (or remnants of them) still remain on the hard disk.12. One thing to keep in mind is that an email has a header that allows you to view its path from its source to its destination. a spam attack. If this is the case. A hidden share does not show up when browsing shares in My Network Places.3 FORENSICS 455 Figure 12-13 file 1 file 2 Slack space Slack space. For example. Now suppose the next file created at that location is only 5 KB. . Hidden Shares Another thing to look for as evidence of an attack is a hidden share planted by the attacker. its contents are left behind on the disk. and the area of the hard disk where that file was stored becomes available. the first character of the filename is changed to “0xE5” (hexadecimal E5). The data left over in the cluster is known as slack space and can be analyzed by some forensics and data recovery applications. including hidden shares on a Windows System. suppose you have a file that is 20 KB and a cluster is 32 KB. However. When the 20 KB file is deleted. such as the forensics version of WinHex by XWays Software Technology. or a phishing attack. This is because a file is written to the hard disk in clusters. You might also be able to use email as evidence if the attacker is an employee. The leftover area in the cluster will still contain 15 KB of the data from the previous file (see Figure 12-13). you might want to gather information through email. as shown in Figure 12-15 to view all shares. A hidden share is one with a “$” appended to the share name. the remnants left behind by the previous file will still be on the disk.

Figure 12-15 Hidden shares. 456 .Figure 12-14 Email header.

Although you can download a free trial of X-Ways Forensics. 2. Identify the steps you should take to ensure a disk examination is forensically sound. Mac® OS X. Some companies have some free tools and some that are available for purchase. including a description of how they work and the difference between an NIDS and an HIDS. if you want to be sure your evidence is forensically sound. you’ll be ready if you need it. For example X-Ways Software Technology offers WinHex as a free download and X-Ways Forensics for purchase. Why must you gather some evidence before shutting down the computer? 4. You . Linux. 3. you’ll need to obtain forensics tools and use them to protect the hard disk. SELF-CHECK 1. Part of your security planning should be researching the forensics tools available and creating your own forensics tool kit. which is a free graphical user interface. its features are limited. such as The Sleuth Kit are freely downloadable. We began with a discussion of intrusion detection systems. create the image. From there we moved on to discuss honeypots. Describe a chain of custody. and gather data. Describe slack space. You also learned that an intrusion prevention system is an IDS that can automatically take steps to prevent an attack. That way. Linux. SUMMARY In this chapter you learned about ways to handle an attack when it occurs. On a Unix. The Sleuth Kit is a command-line utility available for Unix.SUMMARY 457 FOR EXAMPLE Forensically Speaking Although some information can be gathered using operating system tools. or Mac OS X system. and Windows. it utilizes the Autopsy Forensic Browser. Some tools.

You also learned some of the things to look for during an investigation.458 INTRUSION DETECTION AND FORENSICS learned that a honeypot is another way to detect a potential attack and that it allows you to better analyze the nature of the attack. we discussed forensics.exe Task Manager Tasklist Temporary file Temporary Internet files The Sleuth Kit Unused IP space Volatile data WinHex Write blocker X-Ways Forensics . KEY TERMS Attack signature database Autopsy Forensic Browser Behavior-based IDS Bitstream image Chain of custody Complement value dd utility Documentary evidence Email header Evidence False positive Forensics GNU General Public License (GNU GPL) Header condition signature Hidden attribute Hidden share High-interaction honeypot Honeyd Honeynet Honeynet Project Honeypot Host-based IDS (HIDS) Intelligent agent Interaction Intrusion detection (ID) Intrusion detection system (IDS) Intrusion prevention system (IPS) Knowledge-based IDS Low-interaction honeypot Network-based IDS (NIDS) Physical evidence Port signature Promiscuous mode Real evidence Recycle Bin RFC 3227 Sanitized Signature-based IDS Slack space Statistical anomaly IDS String signature svchost. You learned the importance of taking precautions when gathering evidence and the steps to take to prepare a hard disk for a forensic investigation. Finally.

Summary Questions 1. True or False? 2. (c) View a list of processes running on the computer. What tool can you use to view information about open network connections? (a) dd utility (b) Ghost (c) Netstat (d) Tasklist . Which of the following steps should you take after creating an image of a disk. Evidence collected from files on a computer is known as real evidence. (b) Create an MD5 hash of the image. What type of IDS acts like a bridge? (a) HIDS (b) NIDS (c) inline NIDS to assess your knowledge of intrusion detection and forensics. True or False? 5. Measure your learning by comparing pre-test and post-test results. 7. What type of data must be collected before shutting down a compromised computer? (a) a list of the processes running on the computer (b) a list of files in the Recycle Bin (c) the files in the Temporary Internet Files cache (d) any temporary application files 6. but before beginning your investigation of the disk’s contents? (a) Create an MD5 hash of the disk. A knowledge-based IDS must have its attack database kept up-to-date. (d) Install a forensics tool kit on the disk.wiley. What type of device can be used as a decoy to distract attackers from accessing legitimate resources? (a) HIDS (b) honeypot (c) NIDS (d) IPS 4.SUMMARY QUESTIONS 459 ASSESS YOUR UNDERSTANDING Go to www.

hidn 10. You are a security consultant who has been called in to investigate an attack against a company’s client database.. A Windows file is permanently deleted when you empty the Recycle Bin. you find the customer has already shut down the system.. Busicorp has hired a two-person security team. How would you check for hidden files? . The company is most likely going to try to prosecute the attacker if his or her identity can be discovered. (e) One of the compromised computers is a Linux web server. One of Busicorp’s concerns is that a detection system will trigger false alarms when a new customer application is deployed.. (a) What type of intrusion detection will you recommend? Explain why. (a) Describe the importance of maintaining a chain of custody for all evidence. Which of the following Linux directories would be hidden? (a) &hideme (b) nothere (c) $gone (d) . What evidence have you lost? (d) List some areas you might check to determine whether there is a rootkit or other malicious software hidden on the computer. (b) What precautions will you take before attempting to find evidence on the hard disk? (c) When you arrive at the site. Busicorp’s development team builds web applications for customers and deploys them on a perimeter network. Which of the following Windows files is a temporary application file? (a) ~goingaway (b) ^gonebutnotforgotten (c) . Each application will have a different network access pattern. True or False? 9..460 INTRUSION DETECTION AND FORENSICS 8. Busicorp has asked you to recommend a strategy for detecting possible attacks on the network. Part of their jobs will be to watch for signs that indicate an attack. where would you position it? 2. (b) What would be the maintenance concern for this type of IDS? (c) Would you recommend the use of a honeypot? If so.solong (d) $byenow Applying This Chapter 1.

3. 2. 461 . Consider the forensics procedures we have discussed so far. Describe what is meant by volatile data.YOU TRY IT Detecting and Analyzing Intrusions An intrusion detection strategy is only valuable if someone looks at the logs of suspicious activity. Why is it important to investigate data recovery and disk imaging tools before you use them in an investigation? Always Be Prepared Probably the most important guideline in recovering from an attack is to be prepared to do so. A honeypot’s value is also dependent on someone reviewing the information it provides. Think about the systems described in this chapter and consider how you could make reviewing the data easier. Describe how being prepared can help you prevent damaging the admissibility of evidence or the evidence itself? Discuss why a bitstream image of each hard disk you examine is essential. 4. Describe some “best practices” for each of the following systems: ▲ ▲ ▲ Signature-based IDS Statistical anomaly IDS Honeypot 1.

802. 802.1x A wireless security standard that requires TKIP for data integrity and EAPTLS or PEAP for authentication.1x requires a RADIUS server. 802.1Q A specification that defines the standard tagging protocol most widely used on VLANs. 802. 24x7 availability The requirement for a resource to be available seven days a week. invasiveness. twenty four hours a day. Access token An object that contains information about a user who is logged on. Access client The TACACS term for a person or device that dials in to an ISP. and Advanced Encryption Standard (AES).NET Passport authentication See Windows Live™ authentication /etc/group file A file on a Unix® or Linux computer that stores a list of groups.11b A wireless networking standard that supports speeds of up to 11Mbps and uses the same part of the radio spectrum as 802.11g A wireless networking standard that supports speeds of up to 54Mbps and uses the same part of the radio spectrum as 802. 802. 802. and psychological and physical comfort when using the system.11i A wireless security protocol that incorporates TKIP.1x.11a A wireless networking standard that operates at 54Mbps. Stands for Triple DES. 3DES A symmetric encryption algorithm that applies the DES algorithm three times for a key length of 168 bits.11g. 802.11b. . . 802. A record See Host record. /etc/passwd file A file on a Unix or Linux computer in which user accounts are stored. Acceptability A criterion for evaluating a biometric system that considers privacy.GLOSSARY %systemroot% An environmental variable that stores the path to the folder where Windows® is installed (usually C:\Windows). including the user SID and any group membership SIDs. /etc/profile file A file on a Unix or Linux computer that stores information about the actions to take when a user logs in. but only has a short range.

ACE A part of a DACL or SACL that identifies a user or group. Accountability Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. Stands for access control list. Ad hoc mode does not utilize a wireless access point. Stands for access control list. Ad hoc mode A peer-to-peer communication mode for a wireless network. Stands for acknowledgement message. Active Directory–Integrated (ADI) zone A zone that is stored in the Active Directory® database and can be replicated between domain controllers. Active Directory forest One or more domains that trust each other and share the same forest root domain. Active Directory client extensions Software that can be installed on legacy Windows operating systems to allow them to use NTLMv2 as the authentication protocol. An ActiveX control must be downloaded to the client. ACK message A packet used to acknowledge the receipt of a packet with a specific sequence number. Stands for access control entry. ActiveX A technology developed by Microsoft for creating reusable content that can be distributed over the Internet or through an application installation. a type of access. Active Server Pages (ASP) Microsoft®’s server-side programming technology that allows you to write scripts that are interpreted by the server. and whether access is granted or denied. such as the Edge Transport server role in Microsoft® Exchange 2007. Active node A cluster node that handles service requests. accton command A Linux or Unix command that can be used to enable accounting.GLOSSARY 463 Account Operators An Active Directory built-in Domain Local group whose members can manage user and group accounts on a domain controller. Active Directory Application Mode (ADAM) A technology that allows encrypted directory data to be transmitted to a server on the perimeter network. Add-on See Plug-in. Address Resolution Protocol (ARP) spoofing tool A tool that intercepts and modifies email packets at some point in their transmission path in order to launch a man-in-the-middle attack. Active Directory® The directory system used by Windows 2000 and Windows Server 2003. ACL (DAC) A table that lists the access level each subject should have to an object. ActiveX control A user-interface element that is created using ActiveX® and embedded in a web page. ACL (Windows) A list of security protections that apply to an object or to one or more object properties. Active Directory database The storage location for domain security principals and other domain objects in a Windows 2000 or Windows Server 2003 domain. . acct command A command that records all executed commands on a Linux or Unix® system.

file transfers. and Session layers of the OSI model. government data. either in pop-up windows or on web pages.464 GLOSSARY Administrative shares See Hidden shares. Stands for Authentication Header. Appropriate use policy A set of security rules employees will be expected to follow. AS A Kerberos service that is responsible for authenticating a user or computer and responding with a session key. basically overanalyzing the problem. Presentation. Application layer (OSI model) The layer of the OSI model that provides services such as email. Stands for authentication service. AirSnort A product that can be used to break WEP encryption. and Windows operating systems. Algorithm A series of steps that define how to perform a task. but does not provide confidentiality. and Trojan horses. Adware A type of malware that displays targeted or random ads. AES has been approved by the National Security Agency for protecting confidential U. DOS. Stands for Advanced Encryption Standard. AES A symmetric encryption algorithm that has three key sizes: 128. and file servers. 192. AH A component of IPsec that provides integrity and authentication. a specific user account is always used as the security context. Stands for American Standard Code for Information Interchange. Analysis paralysis A phenomenon that occurs when you keep breaking attack tree subgoals into smaller and smaller units. Antivirus A program that scans for and removes viruses. Anti-spyware A program that scans for and removes spyware from a computer. Administrators An Active Directory built-in Domain Local group whose members have full control over any computer in the domain.S. Users log on using anonymous as the username and their email address as the password. Anonymous FTP A site running File Transfer Protocol (FTP) that does not require authentication. A proxy isolates the user from the actual service. and 256 bits. ARP spoof attack An type of man-in-the-middle attack in which an attacker gets between two hosts in the email transmission path. Instead. Application layer (TCP/IP model) Equivalent to the Application. Stands for Address Resolution Protocol. worms. Anti-malware A program that combines the features of an anti-spyware and antivirus program to scan for and remove any type of malware it is configured to detect. ASCII An encoding standard used by Unix. Application proxy firewall A Layer 7 firewall that uses a proxy to substitute for a service. The ARP protocol functions as a portion of the interface between the OSI network and data link layers. The proxy forwards user requests to the service and responses to the user. ARP A protocol that maps IP network addresses to the hardware MAC addresses used by a data link protocol. regardless of the user’s identity. . Anonymous access A method of access that does not require authentication.

ASP. Authenticator A Kerberos object that is presented to a server to prove that the security principal requesting access is the one that was granted the ticket. making it easy for a script kiddie to launch an attack without knowledge of the vulnerability. Autopsy Forensic Browser A graphical user interface that works with The Sleuth Kit. Authentication data A variable number of 32-bit words containing an integrity check value (ICV) computed over the ESP packet. and Mac® OS X. Authentication protocol A set of rules that define how the credentials are stored on the authentication server and passed between the client and the server. but not including the Authentication data field. a user).NET Microsoft’s latest server-side programming technology that allows you to create compiled server-side applications based on the . Only available for Linux. Availability Prevention of unauthorized withholding of information or resources. Audit A onetime or periodic event to evaluate security. An authentication includes a timestamp to prevent replay attacks. Back-to-back configuration A perimeter network configuration in which a screened subnet is placed between two firewalls. Also referred to as monitoring. Auditing An ongoing process that examines the system or user activities and writes events to an audit log. the process of verifying an identity (for example. Unix®. Attack tree A hierarchical diagram that illustrates how an attack might occur.GLOSSARY 465 ASP A Session layer protocol used to set up a session between an ASP server application and an ASP workstation application or process.NET Framework. Stands for AppleTalk® Session Protocol. One firewall filters traffic between the Internet and the screened subnet. Audit log See Audit trail. Attack script A script that automates a specific type of attack. Autorun macro A script that runs when a Microsoft Office document is opened. The other firewall filters traffic between the screened subnet and the internal network. Automatic Updates The Windows® operating system component that allows the Windows Update website or another update server to be checked for updates on a schedule. Attack signature database The repository of attack signatures in a signature-based IDS. Authorizing entity A person who grants or denies permission to access an object when operating under discretionary access control. Authentication The property that the proposed source of the data can be verified to be true. . Audit trail A log of events that provides a history of occurrences in an IT system. Asymmetric encryption An encryption method that requires two keys: a private key and a public key. Authorization The process of determining the resources the user can access once authenticated. Also referred to as an audit log or an event log.

such as firewalls. BootP A protocol that provides a diskless workstation with its IP address based on its MAC address. Broadcast domain The grouping of computers that receive all packets sent to a specific segment.466 GLOSSARY Backdoor An application installed on a computer to allow an attacker to circumvent security measures on the system. such as toolbar buttons to a browser. Bitstream image A bit-by-bit copy of a disk so that the hash of the source drive and the hash of the image are identical. Break the stack A condition in which data entered into a string variable exceeds the size of the string buffer and puts malicious commands on the stack to be executed. Bastion host A host that allows other computers on the network to access the Internet. BIND name server A type of DNS server that runs on Unix® or Linux. Basic authentication An IIS authentication method that sends credentials as clear text. BIND A popular DNS implementation. Blacklist A database of known domain names or IP addresses used by spammers. in order to perform a malicious act. between network segments. but works with most browsers. Broadcast packet A packet that is sent to all computers on a segment. . Border security The process of adding perimeter defenses. A bastion host has two network adapters: one on the Internet and one on the internal network. Blum-Blum-Shub pseudorandom generator A pseudorandom number generator that is considered secure because cracking it requires factoring large numbers. Block cipher A symmetric encryption algorithm in which a message is broken into blocks before being encrypted. Behavior-based IDS See Statistical anomaly IDS. Backup site A location where you can restore critical services to maintain business operations during a disaster. Biometrics An automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. Browser parasite A program that changes browser settings or adds features. Backup Operators An Active Directory built-in Domain Local group whose members can run backup and restore operations. A router or a switch can be used to segment a network into multiple broadcast domains. Boot sector virus A virus that infects the boot sector of a floppy and that is transmitted to a hard drive boot sector when the user starts the computer using the floppy. Stands for Berkeley Internet Name Domain. Baseline template A security template that contains settings relevant to all member servers and that is linked high in the OU hierarchy.

numbers. and the subsequent block will be corrupted. A modification to the plain text will propagate to all subsequent blocks. Business continuity planning committee A group made up of members of senior management.GLOSSARY 467 Brute force attack An attack in which software tries different combinations of letters. Brute force methods The process of enumerating through all possible keys until the proper key is found. along with identifying information. Stands for cipher feedback. CAPolicy. and the date and time it was returned to storage. Certificate policy The policy that defines how certificates are issued and managed. Certificate template A template used by Microsoft® Certificate Services on Windows Server 2003 for generating certificates for specific applications. A certificate request is sent to a CA for validation. Certificate request The document that contains the public key of the requestor. Certificate path See Chain of trust. and security administration. Chain of custody A detailed tracking of each action performed on a piece of evidence. A change in the cipher text will corrupt the block in which the change was made and invert the bit in the next block. the block in which the change occurs will have that bit inverted. Stands for certificate authority. Callback A dial-up server security measure that requires the remote access server to call the client back. Business impact assessment The second step in creating a business continuity plan. Buffer overflow attack An attack which exploits a program by entering data that exceeds the amount of memory allocated to a variable to cause malicious commands to be put on the execution stack. information systems. including the date and time it was taken out of storage. the person who checked it out. CA The entity responsible for issuing. CER A biometric system characteristic that reports the percent in which the FRR equals the FAR. CBC A block encryption mode in which the cipher text of the previous block is XOred with the next block of plain text before being encrypted. Stands for crossover error rate Certificate See X.inf file A file that is used to publish the CPS to subordinate CAs.509 certificate and CA. If a bit in the cipher text is changed. a detailed description of what was done with it while it was checked out. Responsible for creating the business continuity plan. Stands for cipher-block chaining. Business continuity plan A plan that allows a company to recover from a catastrophic or disruptive event. and symbols until a match to the password is found. CFB A block encryption mode in which the previous cipher-text-block result is XORed with the results of encrypting the current block. and managing certificates. . It is the process in which you evaluate the impact of a disruptive event in terms of financial and operational costs. validating. it provides security at the expense of flexibility. functional business units. When used with a predefined number.

CHAP An authentication protocol used to validate remote access users. integrity. ChangeCipherSpec message A message in an SSL session that indicates that subsequent records should be protected with the new cipher suite and keys. chmod command A Unix command used to change the permissions of a file. set on a firewall or intrusion detection system to identify a normal level for that type of activity. In a chain of trust. Change control See Configuration management. it implicitly trusts the CAs validated by the root CA or any of its subordinates. if the client computer trusts the root CA. unreadable form. Clustering A technology that allows automatic failover between two or more servers. Client certificate A digital certificate requested by and issued to a computer that acts as a client in a session. Cold site A backup site that is a computer operations room without computers or a network infrastructure installed. Code Red worm A worm that attacks Internet Information Services (IIS) using a buffer overflow error in Index Server. but requires passwords to be stored using reversible encryption. Common Gateway Interface (CGI) The original solution for creating a server-side web component. Chargen A service that returns a random string of characters. Checklist review A disaster recovery plan test in which business units review the plan. Code Red 2 A variant of the Code Red worm. Clipping level A baseline value for an activity. chgrp command A Unix command used to change the group associated with a file. ClientHello message A message sent by a client to begin negotiation for an SSL conversation.468 GLOSSARY Chain of trust The validation path for a CA hierarchy. Stands for Challenge-Handshake Authentication Protocol. . Cipher text Data in its encrypted. and authentication. Cipher spec The cryptographic parameters agreed upon for an SSL session. Clearance A level of authorization used in MAC to determine access. Challenge-and-response A method of requesting credentials from a user in which the server sends a challenge and the client appends the password to the challenge and hashes it before sending it to the server. Challenge Handshake Authentication Protocol (CHAP) An industry standard remote access authentication protocol that transmits passwords using one-way hash. chown command A Unix command used to change the owner of a file. It operates on port 19. CIA The acronym used to refer to the three main goals of cryptography: confidentiality. It requires passwords to be stored as reversibly encrypted.

Computer Security Incident Response Team (CSIRT) The team responsible for creating the CSIRP. Countermeasures Actions to mitigate the risks of attacks against networks. Connection-oriented protocol A type of transmission protocol that guarantees the delivery of packets and that the packets will be delivered in the same order as they were sent. Configuration control A means of ensuring that all system changes are approved before they are implemented and that implementation is complete and accurate. Configuration auditing The quality assurance aspect of configuration management that verifies that all configuration management policies are enforced and that the accounting information is consistent and complete. and trackable unit for which configuration must be managed. Configuration item (CI) An identifiable. Confidentiality Prevention of unauthorized disclosure of information. Computer security Implementing measures to secure a single computer. manageable. Configuration management The process of tracking and approving changes to a system. Configuration status accounting The documentation of configuration control activities. Computer Security Incident Response Plan (CSIRP) A procedure that should be followed if a security incident occurs. Stands for Certificate Practice Statement. understandable. Connectionless protocol A type of transmission protocol that transmits packets on a best effort basis—delivery is not guaranteed.” Computationally secure The amount of time needed to compute all possible combinations is so large that it cannot be done in any reasonable amount of time. . Credentials Proof that the user is who he or she claims to be. Compiled Converted from human-readable source code to binary machine language.GLOSSARY 469 Communication procedure See Determinate chain of notification. Configuration identification The process of decomposing a system into discrete configuration items. CRHF A hash function that is resistant to hash collisions. Complement value The reverse of a binary value. Also referred to as change control. Stands for Collision Resistant Hash Function. For example. Crackers Programs used by attackers to launch dictionary attacks on passwords and other sensitive authentication information present on internal networks. It is usually used to maintain state information or to store a user’s logon credentials. In a complement each 1 becomes a 0 and each 0 becomes a 1. the complement of “01” is “10. CPS A document that describes how CAs are managed in the organization. the property that only the parties that should be able to obtain information are able to obtain it. Cookie An ASCII file that is downloaded from a website to a browser.

A Windows® version is also available. The remainder is then compared to the remainder of a future calculation. and hash functions. Access control is at the discretion of the object’s owner. DACL The part of the security descriptor that grants or denies specific users and groups access to the object. Cryptography The science of developing algorithms for encrypting data. Data encapsulation The process of attaching a header at each layer to the data being sent across the network. Included with most Linux and Unix distributions. and manage their memberships. Stands for certificate revocation list. symmetric encryption. DAC An access control model in which an authorizing entity grants or denies permission to access an object. Cryptographic primitives The four key areas of cryptography: random number generation. Data Link layer The layer of the OSI model that provides error checking and transfer or message frames. db_securityadmin role A SQL Server fixed database role that grants its members permission to create custom database roles. Stands for discretionary access control. . Data integrity The state that exists when computerized data is the same as that in the source documents and when it has not been exposed to accidental or malicious alteration or destruction. Defense-in-depth The security strategy in which multiple controls are implemented to offer multiple layers of protection instead of relying on a single control. manage their permissions. Cross-certification A process that allows certificates issued by a CA from one organization to be trusted by another organization. Custom template A security template that you define. A custom template can be based on a predefined template or created from scratch.470 GLOSSARY CRL A list of certificates that are not valid because they have been revoked. dd utility An open source utility that can be used to make a bitstream copy of a disk. Cryptanalysis The process of analyzing a cryptographic algorithm to discover how it can be cracked. dbcreator role A SQL Server fixed server role that grants members permission to create databases. dcomcnfg A Windows tool for configuring DCOM. db_backupoperator role A SQL Server fixed database role that grants its members permission to back up a database. Cryptanalyst A person who analyzes and cracks cryptographic algorithms. Cyclic redundancy check (CRC) A file verification technique that involves calculating the file size and dividing by a predetermined number to obtain the remainder. Stands for discretionary access control list. asymmetric encryption. Custom role A SQL Server role created and managed by a user.

Differential backup A backup that backs up all data that has changed since the last full backup. Digest authentication An IIS authentication method that authenticates users using Active Directory. DES A symmetric key encryption algorithm that uses a key length of 56 bits. Stands for Data Encryption Standard. DHCP scope A range of IP addresses to assign to DHCP clients. overwhelming the target and making it difficult to track down the source of the attack. Although credentials are sent across the network as a hash. Digest The fixed-size message generated by a hash function. Determinate chain of notification A description of how information should flow to people who might be affected by a security incident. .GLOSSARY 471 Denial-of-service attack An attack that prevents a server from performing its normal job. Disk striping See RAID 0. Dictionary attack An attack in which all the words in the dictionary are tried until a match with the password is found. there must be an efficient algorithm to solve the discrete logarithm problem. Digest authentication does not require Internet Explorer®.509 certificate. Diffie-Hellman key exchange A key agreement protocol in which both parties agree on a prime number and a base. Disk mirroring See RAID 1. Digital certificate See X. Digital signature A method of providing authentication by encrypting a message or its digest with a private key. Disaster recovery plan The set of actions that should be taken to prepare for and recover from a natural disaster or other catastrophic event. Distributed Component Object Model (DCOM) A Windows programming interface for accessing an application running on a different computer using RPCs. Discrete logarithm problem The mathematic problem of calculating the discrete logarithm. Direct attached storage (DAS) One or more hard disks attached directly to a computer. Distributed denial-of-service (DDoS) attack An attack in which Trojan horse code on zombie computers launches an attack against a target. they must be stored as using reversible encryption on the domain controller. Depth The point at which a pseudorandom number generator will cycle. In order for the Diffie-Hellman key exchange algorithm to be broken. Also referred to as communication procedure. DHCPINFORM message A DHCP message sent by Windows® 2000 and Windows Server 2003 DHCP servers to verify that it is authorized with the domain controller. then select secret numbers independently. Only the full backup and most recent differential backup need to be restored.

such as the Internet. and threats. DNSUpdateProxy group A Windows group to which DHCP servers are assigned to prevent them from owning the records they register in DNS. DREAD methodology A qualitative risk analysis scheme that helps you assign ratings for assets. Domain Controllers An Active Directory Global group in which all domain controllers for the domain are members. busicorp. Drop-off Directory A writable area of an anonymous FTP server. DNS cache A location on a DNS server that contains information retrieved from queries to other DNS servers.472 GLOSSARY Distributed File System (DFS) Service that manages the Windows Server feature and that allows multiple file shares to be represented as a single logical or corp. Domain Computers An Active Directory Global group in which all computers that have been joined to the domain are members. Domain Controller Baseline Policy (DCBP) A GPO that contains the baseline security settings for the domain controllers in an organization and that is linked to the Domain Controllers OU. Domain Admins An Active Directory Global group that is a member of the Administrators group. Stands for demilitarized zone. Permissions are generally assigned to Domain Local groups. Domain controller A server in a domain that stores credentials and authenticates security principals based on their domain account. Domain Local group An Active Directory group that can be used in native mode or mixed mode. vulnerabilities. DNS namespace The name of the domain.0 client/server network or an Active Directory network. Domain Users An Active Directory group in which all users in the domain are members. DNS A distributed database system that matches host names to IP addresses and vice versa. Documentation control The process of ensuring that all configuration documentation is complete and up-to-date. Domain A security boundary in a Windows NT® 4. somewhat secure region located between a private internal network and a public network. represented as a fully-qualified domain name. Domain Guests An Active Directory Global group that is a member of the Guests group. It can include files and other data collected from a computer. Documentary evidence Evidence that provides documentation of what It is a member of the Users group. .busicorp. Stands for domain name system. DoS attack See Denial-of-service attack. Domain Name System (DNS) server A server responsible for resolving host names to IP addresses. DMZ A noncritical. For example.

Dumps memory Writes the contents of memory to a file. Echo A TCP/IP utility that echoes a string back to the display. Enrollment strategy The process of requesting and installing certificates for users. Stands for Encrypting File System. Email header A part of an email message that includes the source address of the sender and all hops along the path to the recipient. EFS The feature of the NTFS file system on a Windows 2000. Enigma A cryptography machine invented by the Germans in World War II. It used the speed of rotors to generate the keys. Elevation of privilege An attack in which a user gains more privileges on a computer system than he or she is entitled to. Stands for electronic code book. ECB A block encryption method in which each block is encrypted independently. Enterprise CA A CA that is integrated with Active Directory. Effective NTFS permissions The permission that determines whether a user's access attempt will be granted. Effective permissions consider group membership. It operates on port 7. Email replay attack An attack in which the packet or packets associated with an email are intercepted and played back to the destination mail server. Edge Transport A Microsoft Exchange server role that acts as a mail proxy by residing in the perimeter network and checking incoming mail for viruses. Windows XP. attachments. or Windows Server 2003 system that provides file encryption. computers. Stands for Extended Binary Coded Decimal Interchange Code. Enrollment time The time that it takes to initially register with a system by providing samples of the biometric characteristic to be evaluated. and spam.GLOSSARY 473 DSA A standard that defines an algorithm for generating digital signatures. EBCDIC A legacy character encoding standard originally developed for IBM servers. Stands for Digital Signature Algorithm. Emergency Management Services (EMS) Windows Server 2003 out-of-band management tools. It does not provide integrity because a change to the cipher text in one block only invalidates that block. and explicit permissions. inherited permissions. Dynamic updates A feature of some DNS servers that allows clients to automatically create and update their DNS records. Dynamic DNS updates See Dynamic updates. Dynamic Host Configuration Protocol (DHCP) server A server responsible for automatically assigning TCP/IP configuration settings. Encapsulating Wrapping a datagram inside headers and trailers to allow it to be transmitted over a network medium that does not normally accept that type of packet. . and services.

False positive An access pattern flagged as suspicious that is actually benign. Ettercap An ARP spoofing tool. Stands for false acceptance rate. Fibre channel A suite of protocols that creates a high-speed infrastructure for transferring data between storage devices and servers. finger command Unix or Linux command that allows you to obtain information about a user. Evacuation drill A test of the evacuation procedures portion of the disaster recovery plan. Fault tolerance A method of providing a backup server that can assume the role of a server that has failed. . natural disaster. or which should be dropped. Evidence Information presented in court that attempts to prove a crime was committed. but membership can. but membership can. Footprint To use a port scanner or other technique to gain information about the operating systems and services running on a network. Extensible Authentication Protocol (EAP) A standard that allows support for multiple remote access authentication protocols. Stands for Encapsulating Security Payload. Fault tolerant solution A solution that can automatically recover from failure of a device or component. Failover The process by which one server takes over the operations of another. It operates on port 79. authentication. Filter A set of rules that determine which packets should be allowed through a firewall. Everyone group A special identity on Windows computers that includes all users. some replay protection. and limited traffic flow confidentiality. Finger A utility that allows you to determine information about a user and logon sessions based on an email address.474 GLOSSARY ESP An IPsec component that provides confidentiality. which should be rejected. Failover system An identical copy of a server and its data that can be used in the event of an attack. File Replication Services (FRS) Service responsible for transferring files and the directory database between domain controllers. integrity. Fault-tolerant computing A computer configuration that can tolerate the failure of a component. External consistency See Data integrity. Fixed database role A SQL Server role automatically created at the database scope for which permissions cannot be changed. Event log See Audit trail. FAR A biometric characteristic that reports the percentage of invalid subjects that are falsely accepted. Fixed server role A SQL Server role automatically created at the server scope for which permissions cannot be changed. or server failure.

or Universal group. Group transient key (GTK) In 802. Groups Collections of one or more users. FRR A biometric characteristic that reports the percentage of valid subjects that are falsely rejected. Local group. Full backup A backup of all selected files and folders. Global catalog server A domain controller that hosts the global catalog for the forest. It is normally added as a member of a Domain Local group.GLOSSARY 475 Forensics The science of gathering and preserving evidence. Global group An Active Directory group that can be used in native mode or mixed mode. Full-interruption test A test of the disaster recovery plan in which normal production is shut down and all recovery processes are executed. a temporal key that protects multicast and broadcast data. Full-scale exercise See Parallel test. Functional drill A test of the disaster recovery plan that tests one or more specific functions of the plan. Stands for Group Policy Object. FTP An Application layer protocol that provides for authenticated transfer of files between two computers and access to directories.11i. GNU General Public License (GNU GPL) A licensing structure for open source and freely distributed software. Stands for File Transfer Protocol. including security settings. Gateway-to-gateway security The act of securing data between two gateways. Frequency analysis A cryptanalysis technique that uses the fact that some letters in a specific language appear more frequently than others. . GID A 16-bit number that identifies a group on a Unix computer. GPO An Active Directory object that is used to centrally manage user and computer configuration settings. Generic Routing Encapsulation (GRE) A PPTP subprotocol that adds a header to a PPP packet. Global catalog A database that contains a subset of Active Directory objects and object attributes for every domain in the forest. Group Policy Active Directory’s centralized management technology for user and computer configuration settings. Ghost™ A software utility created by Symantec™ that can be used to create an image of a computer’s configuration. but not between the gateway and the client. Stands for group identity. Stands for false rejection rate. Used to support non-IPsec-aware clients. Forward lookup The type of DNS query used to find out the IP address of a computer when you know its host name.

Hash function A function that computes a smaller. Host A file in which a virus resides. Home directory A directory on a Unix computer associated with a specific user.476 GLOSSARY Guests An Active Directory built-in Domain Local group whose members are more limited than members of the Users group. Hash See Digest. Heterogeneous environment A network environment that runs multiple operating systems. a hidden share is created by appending a “$” to the end of the share name. High-interaction honeypot A honeypot that allows an attacker to perform complex interactions because it uses actual operating systems and services. Host bus adapter (HBA) An adapter for connecting hard drives to a motherboard. Hidden share A share that cannot be seen when browsing the network. On a Windows computer. Hash collisions The probability that the same hash will be generated from different data. Honeynet Project A multinational organization that researches attacker methods using honeypots and honeynets. fixed-size digest from a message of any size. Host name The name of a computer on a TCP/IP network. Header condition signature A combination of data in packet headers that indicates an attack. Honeynet A controlled network of high-interaction honeypots. Half-open connections Connections that have not completed the handshake process and are in the SYN_RECV state. Hexadecimal commands A computer command represented in base 16. Host record A DNS server record that identifies a computer on the network and is used for forward lookup. Hidden attribute A Windows file attribute that causes a file to not be displayed unless the Show hidden files and folders option is enabled. Honeypot A monitored decoy system that can be used to research attack methods and help prevent an attack by distracting the attacker from an actual target. It can include a RAID BIOS chip or a RAID processor. . Hardware-assisted software RAID Involves installing either a host bus adapter that includes a RAID BIOS chip or a RAID BIOS chip on the motherboard and RAID software on the computer. Honeyd An open source low-interaction honeypot created by Niels Provos. Headless server A server that does not have a monitor attached. Host-based IDS (HIDS) An IDS that runs on a specific host and can detect only malicious activity targeted at that host.

Used to verify that the message has not been tampered with. Ping uses ICMP. Image A snapshot of a computer’s configuration that can be applied to the same computer or a different computer. Stands for Hypertext Transfer Protocol over SSL. Stands for Internet Key Exchange protocol. and key generation and exchange in an IPsec session. HyperTerminal A terminal emulation program included with Windows operating systems. A browser uses the HTML to determine how to render content. . Identity theft Using somebody else’s identity to gain access to a resource or service. For example. IKEv2 The latest version of Internet Key Exchange protocol. A hot spare can also be used without RAID. IKE protocol A protocol for authentication. Stands for Hypertext Transfer Protocol. ILOVEYOU virus A virus that propagates through email by sending an infected message to everyone in a user’s address book (contacts folder). but that is added to the array automatically when a failure occurs. Hyperlink A clickable area on a web page that loads a different URL. software. Impersonate The act of using another user’s credentials to gain access to a server. authentication methods. not including the Authentication data field.GLOSSARY 477 Host-to-Host layer Layer in the TCP/IP model that is similar to the OSI Transport layer. and peripherals installed and that can be up and running by synchronizing the data. Stands for integrity check value. shared key generation. Stands for Internet Control Message Protocol. Hot space See RAID 5EE. HyperText Markup Language (HTML) The language used to create most web pages. Hot spare A drive in a RAID 5 array that does not participate in the array until another drive fails. It uses a digital certificate on a web server to provide the encryption key. ICMP A troubleshooting protocol and member of the TCP/IP protocol suite used to identify problems with the successful delivery of diagnostic packets within an IP network. Identification The process of supplying the credentials the authenticating server will user to prove a user’s or computer’s identity. and managing the negotiation of cryptographic algorithms. ICV A hash of the ESP packet. IAS proxy An IAS server that is configured to forward RADIUS traffic to another server. Identity-based access control An access control model in which a user’s identity is managed by a different person or organization than the one that manages permissions and privileges. defined in RFC 4306. Hot site A backup site that has all required hardware. HTTP A protocol used for sending web pages and information to other locations on the Internet. HTTPS A protocol that encrypts data sent over HTTP.

and the permissions granted to owner. Incremental template A security template that contains settings relevant to a specific server role.168. Infrastructure mode A wireless networking mode in which clients connect to a wireless access point.x range and can operate on Windows 2000 Professional or Windows XP. To recover using incremental backups. Initialization vector (IV) A varying value that is used along with the shared secret when performing WEP encryption. Inode A structure in a Unix file that includes the UID of the owner. Intelligent uninterruptible power supply (intelligent UPS) A device that provides power conditioning and fault tolerance in case of power failure. Interaction The level of activity provided by the honeypot to the attacker. Internet Connection Sharing (ICS) A simplified NAT service that issues dynamic IP addresses in the 192. group. Inherited permission A permission that is configured at an object higher in the hierarchy and that flows down to the objects lower in the hierarchy. the property that data has not been modified or changed in any way. the GID of the group that owns the file. and other.0. Index Server service A Windows service that indexes files on a hard disk for faster search access. Incremental backup A backup that backs up all files that have changed since the last full or incremental backup. Intermediate CA A CA that issues certificates on behalf of the root CA. . you must restore the full backup and then each incremental backup in the order in which they were taken. Active Directory objects inherit permissions from the organizational unit hierarchy. but requires Internet Explorer on the client. and can be used to connect servers to serial ports or through the AC power line. Integrity Prevention of unauthorized modification of information. Internet layer Layer of the TCP/IP model that performs a similar function to the Network layer of the OSI model. Integrated Windows authentication An IIS authentication method that authenticates users using either Active Directory or the local account database and sends credentials as a hash. File system objects inherit permissions from the folder hierarchy. Internet Authentication Service (IAS) Microsoft®’s implementation of a RADIUS server. In-band remote management The process of accessing and managing a computer that is operational and can be accessed using standard network communication. Intelligent agent A small program that resides on a host computer and monitors the computer for suspicious activity.478 GLOSSARY Impersonation token An access token that is created when a client application accesses a server on behalf of the user.

Intrusion prevention system (IPS) A system that not only detects and logs suspicious activity. Stands for IP (Internet Protocol) security. IV sequencing discipline A feature of TKIP in which the receiver discards packets that are out of sequence. Intersite Messaging service (IsmServ) Allows communication between domain controllers at different Active Directory sites. but also takes action to prevent the attack. integrity. It provides the security context for anonymous access to web sites. for connecting computers to form a computer network. IP within IP See Tunnel mode. iSCSI A connection protocol for communicating between storage devices and servers that uses the existing Ethernet and TCP/IP infrastructure. or unreliable service. IP packet filtering The process of limiting the protocols or ports on which a computer will accept a request. It does not guarantee packet delivery. authentication. IPsec A security protocol that operates at the Internet layer of the protocol stack. and some protection against replay attacks. IUSR_computername account A special Windows account that is created when IIS is installed. confidentiality. IPsec policy A collection of rules defining how IPsec should permit. It can provide traffic filtering. IP The Network layer protocol in the TCP/IP suite. Stands for Internetwork Packet Exchange. block. Internet zone The Internet Explorer® and Outlook® security zone that contains all addresses not on the local network that have not been added to either the trusted sites zone or the restricted sites zone. It provides a best effort. Issuing CA A CA at the lowest level of the hierarchy. or protect specific types of traffic. This feature helps to prevent replay attacks. Stands for Internet Protocol. ISO 17799 A standard that provides best practices for defining security policies. It works with SPX. deploying. IP address A four-byte address that is assigned to every host on the Internet or on a network running TCP/IP. and renewing user and computer certificates. It is responsible for enrolling.GLOSSARY 479 Internet Server Application Programming Interface (ISAPI) An application programming interface (API) that allows you to create compiled web components that can run on Internet Information Services (IIS). Intrusion detection (ID) The act of detecting and analyzing activities to determine whether an attempt was made to gain unauthorized access to a system. IP address filtering The process of limiting the client IP addresses that can connect to a server. . IPX A protocol maintained by Novell® that transmits and receives packets. Intrusion detection system (IDS) A system or appliance that monitors network traffic or audit logs to determine whether an attack might be underway.

Java™ A programming language in which applications can be compiled once and then executed on multiple different operating systems. it shows all logins in the wtmp file. Key encryption key (KEK) In 802.11i. Layer 2 Tunneling Protocol (L2TP) An industry-standard VPN protocol that uses IPsec for encryption. Last-in-first out (LIFO) An execution order in which the last command placed on the stack executes first. NetWare®. It has a maximum password length of 14 characters and stores passwords in a format that is easy to crack. Through IPsec. including Windows. a member of the PTK that is used to distribute the group transient key. lastcomm command A Unix or Linux command that shows the commands that have been executed. provided a Java Virtual Machine (J VM) is installed. JavaScript® A scripting language based on the Java programming language.480 GLOSSARY Java applets A program written in Java that runs on a user’s workstation and is subject to specific limitations to help increase security. Stands for Joint Photographic Experts Group. Unix. KDC A Kerberos service that is responsible for storing credentials in a database and managing the exchange of keys between clients and servers on the network. Kerberos implementations are available for many operating systems. a member of the PTK that binds the PMK to the client station and access point. Kerberos key distribution center (KDC) A domain controller service required on all domain controllers to perform authentication. and Macintosh. Stands for key distribution center. Knowledge-based IDS See Signature-based IDS. such as MS-DOS® and Windows 95.11i. A strong key is a random piece of data that cannot be easily discovered. When used without parameters. Kerberos A trusted authentication protocol based on symmetric key cryptography that authenticates clients to other entities on the network. . Keystroke logging program Utilities that can log a user’s keystrokes and that can be used to store and forward passwords to an attacker. Key A piece of data used for encryption and decryption. LAN Manager protocol An authentication protocol used by older Microsoft operating systems. Key block A set of keys used to protect data transmission in an SSL session. Key agreement protocol A method of generating shared keys on the fly. Key confirmation key (KCK) In 802. L0phtcrack A program used to crack passwords. it offers computer authentication using either certificates or pre-shared keys. lastlog command A Unix or Linux command that records the last time a user logged in. last command A Unix or Linux command used to display login information. JPEG Standard for graphics defined by the Joint Photographic Experts Group.

Logic bomb A type of Trojan horse that remains dormant until a triggering condition occurs. and negotiates peer-to-peer authentication. ls command A Unix command that is used to list the files and directories and information about them. The first three bytes of a MAC address identify the manufacturer. Limiting the attack surface The process of removing or disabling unnecessary services. Link establishment phase The phase of a PPP conversation in which the two devices establish specific network parameters. Layered models include the OSI model and the TCP/IP model. Macro Virus Protection A Microsoft Office feature that can be used to prevent macros from running unless the user explicitly allows them. LC4 See L0phtcrack. Local intranet zone The Internet Explorer and Outlook security zone that contains all addresses on the internal network.GLOSSARY 481 Layered architecture The decomposition of network functions into layers. Access is determined by matching the subject’s clearance to the object’s sensitivity. a subject with a secret clearance can access secret objects. and the authentication protocol. The remaining three bytes represent the serial number of the device. Stands for mandatory access control. It comprises a 6-byte number. For example. Local Service account A built-in Windows account that has very limited permissions on the computer and that cannot access other computers across the network. such as frame size. . LMHosts file A file that contains NetBIOS name resolution information and that can be used as an alternative to WINS. Mail proxy See Mail relay. closing unnecessary ports. and removing unnecessary input and output devices. MAC An access control model in which a subject is given clearance and an object is given a sensitivity classification. sets up encapsulation options. MAC address filtering A security method in which a wireless access point is configured with a list of MAC addresses that should be allowed to connect. Link Control Protocol (LCP) A subprotocol of PPP that detects loopback links. MAC address The unique address assigned to each network adapter. Local System account A built-in Windows account that has extensive permissions on the computer and that can access other resources across the network. but not top secret objects. Logical Link layer The sublayer of the OSI model’s Data Link layer that is responsible for setting up the communication link and formatting the data into frames. compression. Low-interaction honeypot A limited emulation of an operating system and system services. Letter salad A technique used to try to circumvent spam filters by misspelling words that are commonly used in spam. accommodates limits on packet sizes.

” and the random number selected by the client and the server in an SSL session. Media Access layer The sublayer of the OSI model’s Data Link layer that is responsible for supporting a computer’s access to packet data and for regulating a computer’s permission to transmit packet data. and spam. One example of a managed computer is an Active Directory® client that is configured through Group Policy. Manage Printer permission A permission granted on a Windows printer to allow a user to configure the printer and install drivers. It was designed to overwrite the hard MD5 A hash function. . Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) A Microsoft version of CHAP that transmits both a LAN Manager hash and an NTLM hash. A man-in-the-middle attack can be used to compromise a key agreement unless authentication is also used. Message Integrity Code (MIC) A unique. Melissa A virus that attaches itself to Microsoft Word files and infects Normal. “master secret. Also known as malcode. Malware Code that performs a malicious act.482 GLOSSARY Mail relay A server that resides in the perimeter network and checks incoming email for scripts. Manage Documents permission A permission granted on a Windows printer to allow a user to manage the print queue. Man-in-the-middle attack An attack in which the attacker intercepts a message and alters it before sending it on to the recipient. Michael The 64-bit MIC used by TKIP. It does not require the server to store passwords using reversible encryption. Trojan horses. Managed computer A computer that is configured through a centralized policy. Also known as a mail proxy. viruses. spyware. The MasterSecret provides the input to construct a key block. Once it resides in Normal. and adware are all examples of malware. MasterSecret A 48-byte value derived from the PreMasterSecret. unambiguous representation of the transmitted message that will change if the message bits change. Management computer A computer running terminal emulation software used to manage a computer using EMS. Stands for Message-Digest algorithm 5. it infects other Word files opened on the computer. Viruses. It requires configuring the server and client with a shared secret. questionable attachments. worms. Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2) An improved version of MS-CHAP that offers mutual authentication and does not transmit a LAN Manager when the file is opened. Malcode See Malware. MD5–Challenge A test package for EAP that should be used to troubleshoot connections. Michelangelo An early logic bomb that used Michelangelo’s birthday as the trigger.

MIME Enables the use of non–US-ASCII textual messages. Modem serial connection Similar to a direct serial connection except that it involves putting a modem between the management computer and the server(s). Native mode domain A Windows Active Directory domain in which all domain controllers are running Windows 2000 Server or Windows Server 2003 and that has been converted to native mode. Mondoarchive A backup utility for Linux systems. Multiple centers An emergency strategy that spreads processing across multiple geographic locations. Microsoft Point-to-Point Encryption (MPPE) The encryption method used by PPTP. Mixed mode domain A Windows Active Directory domain that includes Windows NT 4. Mobile backup A vendor that supplies mobile power and HVAC facilities to allow a company to perform processing during an emergency. multipart message bodies. and non–US-ASCII information in message headers in Internet mail. NAT–Traversal An Internet Engineering Task Force (IETF) draft standard that uses User Datagram Protocol (UDP) encapsulation to wrap the IPsec packet inside a UDP/IP header. Multicasting is often used for distributing presentations to multiple hosts. . Multicasting Sending a message to multiple computers listening on the same IP address. nontextual messages. Stands for Moving Picture Experts Group. Stands for Multipurpose Internet Mail Extensions. Monitoring See Auditing. The session keys are generated from the MS-CHAP or EAP passwords.GLOSSARY 483 Microsoft Passport authentication See Windows Live authentication. NAT A service that translates private addresses that are normally internal to a particular organization into routable addresses on public networks such as the Internet.0 domain controllers or that has not yet been converted to native mode. Mitigate Reduce the likelihood or impact of a risk. Multihomed computer A computer with multiple network interfaces. Multicast packet A packet that is sent to all computers on a network that are listening on a specific multicast address. MX record A DNS record that identifies a mail server. Naive Bayes classifier A method of classification used to determine whether an email is spam based on whether the email contains words that are frequently used in spam. Stands for Network Address Translation. MPEG Standard for the compression and coding of motion video. Mutual aid agreement An arrangement with another company to provide processing resources to each other in the event of a disaster. Also referred to as a mobile backup. Mutual authentication A type of authentication in which the client must prove its identity to the server and the server must prove its identity to the client.

Network layer The layer of the OSI model that performs packet routing across networks. Network-based IDS (NIDS) An IDS that listens to traffic on a network segment and can detect an attack targeted at any host on that segment. NetMeeting® An online conferencing application. Network security Protecting all the resources on a network from threats. Global groups can be nested. and testing data links. NFS A Session layer protocol that supports the sharing of files among different types of file systems. Need-to-access environment An access control environment in which users are given permission to access only the data they need to perform their jobs.484 GLOSSARY Need to know The access control condition that a subject must have a need to access a specific classified document in order to perform assigned duties. Nest To make an object of one specific type a member of an object of the same type. Network access server (NAS) A server in a TACACS configuration that processes requests for connections and transmits authentication credentials to the TACACS server. Network stack A stack of protocol layers. In Active Directory native mode. Need-to-know environment An access control environment in which users are given permission to read only the data they need to perform their jobs. Network Control Protocol (NCP) A subprotocol of PPP that is used for configuring. Network Service account A built-in Windows account has the same local permissions as Local Service. . Netstat A Windows troubleshooting tool that allows you to see which ports a computer is listening on. as well as other information about the network. but can also access computers across the network. NetBIOS application An application that uses the NetBIOS application layer protocol to communicate on the network. newgrp command A Unix command that allows a user to associate their user account with a different group. Network Address Translation (NAT) server A server responsible for acting as a gateway between the Internet and computers on the internal network. Network Access layer Layer of the TCP/IP model that performs a similar function to the Data Link and Physical layers of the OSI model. managing. Network Configuration Operators An Active Directory built-in Domain Local group whose members have some rights to manage the network configuration parameters for computers in the domain. Stands for Network File System. Next Header A field in an ESP pack that shows the next protocol field on the normal IP packet. NetBIOS name The name of a computer that is compatible with NetBIOS applications and legacy Windows operating systems.

OFB A block encryption mode in which the output of the encryption algorithm is XORed with the plain text continuously throughout the blocks. Null modem cable A special serial cable that allows two computers to connect to each other through serial ports by reversing the send and receive lines. The hash is created on both ends of the conversation and compared. the message cannot be recovered. Stands for National Security Agency.0 domains and local SAM account authentication in Windows 2000 and Windows XP. government data. NIST A United States government agency that performs research.S. not on the hard drive. Originating domain The domain from which a cookie is downloaded. Off-site backup A backup stored at a different location. NTFS permissions Permissions that are configured for a file or folder on a Windows system. It disables file sharing security. . Stands for NT File System permissions. .GLOSSARY 485 Nimda worm A variant of the Code Red worm. ntbackup The command-line version of Windows® Backup. Stands for output feedback. antivirus protection. NTLM protocol An authentication protocol that is used for Windows NT 4. If any bits are lost. Object A passive entity to which permission is granted or files. One-time password An automatically generated password that can only be used for a short amount of time or for a single logon. Nonrepudiation of origin The act of collecting and providing evidence about the sender of a document. NTLMv2 protocol An authentication protocol that provides more secure password transmission than NTLM and that also provides mutual authentication. Nonrepudiation of delivery The act of collecting and providing evidence that a message was delivered to a specific recipient. Nonrepudiation The inability to deny that a specific action occurred. NSA A United States government agency responsible for collecting and analyzing foreign communications and protecting the confidentiality of U. usually in a secure vault or safety deposit box.rar files. and promotes technological advances. and deletes Microsoft Office files. Nonpersistent cookie A cookie that is stored in memory. and . Stands for National Institute of Standards and Technology. develops technical standards. and is deleted when a session ends or the computer is rebooted. you cannot decode the hash to retrieve the actual data. However. Nyxem worm A logic bomb that is activated on the third of every month. One-time pad A cryptographic algorithm in which the cryptographer uses a pad of random numbers to provide the shift value for each letter of the message. One-way hash A hash created with a shared secret.

is rejected. Stands for pluggable authentication module. . OSPF A routing protocol that selects the least-cost path from a source computer to a destination computer. key confirmation key. Also referred to as a full-scale exercise.11i. PAM Software that runs on a Unix computer to provide a standard interface that allows you to use a variety of authentication protocols. Stands for Open Systems Interconnection model. Stands for Outlook® Web Access. Packet checksum The result of a mathematical calculation on a packet that is added to the packet to verify its integrity. Packet tampering An attack in which data packets are modified. Stands for organizational unit. Padding A technique in which extra characters are added to plain text before generating the cipher text. OWA An Internet-facing server that allows access to Microsoft Exchange through HTTP. including key encryption key.486 GLOSSARY OSI model A network architecture model that consists of seven functional layers. and temporal key. or is dropped. Passphrase A password that can contain many characters. Pairwise transient key (PTK) In 802. Padding is used with block ciphers to produce blocks of a specific length and with stream ciphers to provide randomness for a common message. An OU can be used to group objects for delegation of administration or for applying Group Policy. Packet sniffer Software or hardware that captures traffic on the network and allows a user to view the packet headers and data.11 medium. Out-of-band remote management The process of connecting to and managing a server that does not respond to standard network communication. Passive node A cluster node that sits idle until it needs to take over for an active node. including spaces.11i. Pad length A field in an ESP packet that provides the length of the padding field. Stands for Open Shortest Path First. Pairwise master key (PMK) In 802. Packet filtering A technique used by firewalls. OU A container in an Active Directory domain. The OSI model was developed around 1981 by the International Organization for Standardization (ISO). a collection of operational keys. Packet Privacy The method of encryption used by DCOM. Outlook postmark A puzzle of varying complexity that is added to legitimate email to help distinguish it from spam. a symmetric key possessed by an access point and a client station which is used to authorize access to the 802. Each packet is compared against a filter and the packet is either allowed to pass. Parallel test A simulation of an emergency situation that involves all participants and that might include some interruption in production processing. Parity stripe An XOR calculated from data stripes and written to a disk in the array for fault tolerance. Password Authentication Protocol (PAP) A legacy remote access authentication protocol in which the username and password are passed in clear text.

mitigating the risk of IV discovery. Ping of death A denial of service attack that uses a Ping request that is larger than the maximum size of 65. including users who are allowed and denied access. a piece of equipment.536 bytes. or eBay®. Users on a peer-to-peer network share resources with other users and manage the security of those resources. Perimeter network See DMZ.GLOSSARY 487 Patch See Security update. Physical layer The layer of the OSI model that defines standards for transmission media. Stands for propagating cipher-block chaining. Stands for process ID. Stands for protocol data unit. Payload data A variable-length field containing the Transport layer network message. Personal firewall Firewall software that runs on a server to limit the traffic that server accepts. such as an online banking site. Persistent cookie A cookie that is stored on a user’s hard drive and can be accessed by spyware. Physical evidence A physical item that can be presented as evidence. Peer-to-peer network A network that does not implement centralized security. Per-packet mixing function A TKIP feature that involves generating a temporal key that is used along with the packet sequence counter to build the packet key. . PCBC A block encryption mode that is similar to CBC. For example. Ping A command that can be used to check whether computers on a network can communicate. Personal firewall Firewall software that runs on a user’s computer to protect it against unwanted and potentially harmful traffic. Permission attributes The individual security protections for an object. PDU A network message at a specific layer in the network stack. Physical entry point An interface on a computer that allows input or output. Phishing filter A feature of Internet Explorer 7 that attempts to determine whether a website is legitimate or a spoofed website used in a phishing attack. Penetration testing The process of probing a network's defenses to try to find vulnerabilities. Phishing attack A type of social engineering attack in which a user is tricked into supplying confidential information by an email that spoofs a legitimate site. It causes different clients to create different per-packet encryption keys. PID An identifier associated with a process (subject) on a Unix computer. PayPal®. except that changes to the cipher text are propagated through the remainder of the message.

Port scanner A utility that scans a computer or network for open TCP/IP ports. Port signature A set of connection attempts to frequently attacked ports. code conversion. POP An Application layer protocol used to retrieve email from a mail server. Many websites use PDF to allow users to view content. . computers.11i mode in which there is no authentication exchange and a single private key can be assigned to the entire network or to an access point/client pair. it is primarily used for VPN access to a Windows® network.488 GLOSSARY PKI The technology. Post Office Protocol 3 (POP3) A protocol used to receive email. and data formatting. Pre-shared key (PSK) mode An 802. PPP was designed as a replacement for SLIP in sending information using synchronous modems. and services that allow an organization to securely exchange information and validate the identity of users. software. POP3 The latest version of POP. It does this by encapsulating the datagrams of other protocols. IPX. Plug-in An extension to a browser that allows a user to display a specific type of content in the browser. Port A logical entity associated with a number on which the TCP/IP protocol listens for messages associated with a specific protocol. Stands for Post Office Protocol. Portable Document Format (PDF) A standard document format that can be read by Adobe® Acrobat® or Acrobat Reader®. Polyalphabetic substitution The method used by the Vigenere cipher in which multiple alphabetic shifts are used as the key instead of the single shift used by the substitution cipher. PreMasterSecret A 48-byte random value used in a function to calculate the Master Secret for an SSL session. Stands for Point-toPoint Protocol. PPP A protocol used for transmitting data over point-to-point links. Poisoning the cache Changing data in the DNS cache on a downstream DNS server so that one or more records point to a bogus or malicious address. Point-to-Point Tunneling Protocol (PPTP) A VPN protocol that uses the PPP infrastructure and authentication mechanisms. Policy CA See Intermediate CA. Point-to-Point Protocol (PPP) A remote access protocol that can encapsulate IP. Presentation layer The layer of the OSI model that provides encryption. Plain text Data in its unencrypted. Developed by Microsoft. and services. Stands for public key infrastructure. readable form. Pre-shared secret A key that is shared between two parties before communication begins. and other network protocols.

Print queue A list of documents (print jobs) that have been sent to the printer. Proxy agents Application.1x. Promiscuous mode A network adapter operating mode that allows the adapter to see packets on the network that are destined for other computers. market share. Public key A key that is only known to the world. Used in asymmetric encryption. Qualitative loss criteria A category of potential loss that includes losses that cannot be accurately estimated as a dollar amount. Print Spooler service A Windows service that manages print queues and print jobs. Principal See Subject. Protocol A formal set of rules that describe how computers transmit data and communicate across a network. Used in asymmetric encryption. Protected Extensible Authentication Protocol (PEAP) A protocol that allows a user to authenticate using a password on a wireless network protected by 802. Propagated Spread from computer to computer.and protocol-specific implementations that act on behalf of their intended application protocols. Print permission A permission granted to a Windows printer to allow the user to send documents to be printed. . including loss of competitive advantage. Protocol analyzer See Packet sniffer. Public network A network that can be accessed by anyone. Print Operators An Active Directory built-in Domain Local group whose members can manage printers in the domain. PTR record A record used to perform a reverse lookup for a host. Principle of least privilege See Principle of least permission. Print job A document that has been sent to a printer.GLOSSARY 489 Primary token An access token that is associated with the user who is logged on to the computer where the process is running. It often must handle confidential and proprietary data. Private network An organization’s network that is for internal access. It used telephone stepping switches to generate the keys. Pseudorandom numbers Numbers that appear to be random. Private key A key that is only known to its owner. Protocol analyzers Software or hardware that captures packets on the network. Principle of least permission The best practice of granting only the permissions a user needs to perform a job. The key attribute of pseudorandom numbers is that they cannot be predicted. Purple A cryptographic machine invented by the Japanese in World War II. or public opinion. Privacy Protection of personal data.

RAID 5EE A technology in which data is striped across disks and a spare stripe is also created to prevent performance degradation when a disk fails. authorization. RADIUS server A server that provides authentication. including loss of revenue. RAID 0 A technology in which data is striped across multiple disks. but does not provide redundancy. Also referred to as disk striping. RAID 1E A technology in which data is mirrored in stripes across three or more disks. RAID 6 A technology in which data is striped across disks and a parity stripe is written to two disks. VPN server. RADIUS client A dial-in server. Also referred to as hot space. RAID 5 A technology in which data is striped across disks and a parity stripe is written to allow recoverability if a single disk fails. Quantitative risk analysis A method of risk analysis in which values are taken from a mathematical domain. RAID 0؉1 See RAID 10. RAID 60 A technology in which multiple RAID 6 arrays are striped to provide better performance and protection against two drive failures in each array. authorization. RAID 10 A technology in which data is mirrored and then striped to provide better performance and protection against a single drive failure. and/or auditing. It offers better performance. Protects against two drive failures. RAID 50 A technology in which multiple RAID 5 arrays are striped to provide better performance and protection against a drive failure in each array. expenditure. and/or auditing for RADIUS clients. Quantitative loss criteria A category of potential loss that can be estimated as a dollar amount. or liability resolution. Also referred to as striping with dual parity. or wireless access point that uses a RADIUS server to perform authentication. Also referred to as striped RAID 5 arrays. Quarantining attachments Removing attachments from an email before the email is delivered to the recipient. Protects against a single disk failure. It protects against failure of a single hard disk. Stands for Reverse Address Resolution Protocol. . RARP A protocol that enables a computer in a LAN to determine its IP address based on its MAC address. RAID 1 A technology in which data is mirrored to a second disk. Also referred to as striped RAID 6 arrays. Also referred to as a striped mirror. such as monetary value or probability of occurrence.490 GLOSSARY Qualitative risk analysis A method of risk analysis in which values are taken from domains without an underlying mathematical structure. such as the advice of security experts. RAID-on-Chip technology A type of hardware RAID in which the RAID processor and drive interfaces are built onto the motherboard. Also referred to as striping with parity. Query A command written in SQL and sent to a database. Also referred to as RAID 0+1 or striped RAID 1 arrays. Also referred to as disk mirroring. It protects against failure of a single hard disk.

Real evidence See Physical evidence. Redundant Array of Independent Disks (RAID) A technology that uses multiple disks to eliminate the disk as a single point of failure and to protect data against the failure of one (or sometimes more) disks. the role serves as an intermediate layer. Remote Procedure Call Locator (RpcLocator) Service that allows computers to find a server running the remote procedure call (RPC) service. authorization. Remote procedure call (RPC) The protocol used when one application accesses another application on the network using DCOM. Therefore. Replay attack An attack in which an attacker captures and then replays a packet sent between a browser and a web server or an email. Registry A database on a Windows computer that stores hardware and software configuration settings. .GLOSSARY 491 RBAC An access control model in which permissions are granted to one or more roles and users are assigned to one or more roles. The attacker might optionally modify the packet before replaying it. Redundant Duplicated. Recycle Bin A temporary repository for deleted files on a Windows computer. and auditing for remote and wireless access. Remote Desktop for Administration A management tool that allows you to connect to a Windows desktop as if you were logged in interactively. Replays Attacks in which data are captured and replayed with or without modification. Recovery team A team with the responsibility of restoring business operations during a disaster. Remote access server (RAS) A server responsible for providing network access to dial-up or virtual private network (VPN) clients. the tools that will be used. Remote Desktop Protocol (RDP) The protocol used to access a computer using Remote Desktop for Administration. Stands for role-based access control. The user can perform all functions as if he or she were actually at the remote host. Replicate To reproduce by creating a copy of itself. Remote login A command in UNIX that begins a terminal session between an authorized user and a remote host on a network. Remote access server A server that provides network access through a dial-up connection. Remote Authentication Dial-in User Service (RADIUS) A standard for implementing centralized authentication. Remote management plan A plan that identifies computers that must be managed remotely. Remote Assistance A remote management technology that allows one user (the novice) to invite another user (the helper) to access the novice's computer remotely. and any security requirements for remote management.

RFC 2898 The Request for Comment that describes 802. RFC 3227 A Request For Comment that details the guidelines for collecting documentary evidence. Rlogin See Remote login. Reverse lookup A DNS query sent to retrieve the host name of a host when the IP address is known. RFC 1994 The Request for Comment that describes the CHAP protocol for PPP. Rogue DHCP server An unauthorized DHCP server that assigns addresses from the wrong scope or from an overlapping scope. Risk analysis The process of identifying a risk and assessing its likelihood and impact. RFC 2488 The Request for Comment that describes MS-CHAP. Roaming disconnect support A feature of Remote Desktop that allows the programs you start to run even if you are disconnected. Role Job or task used to determine the necessary access. Rijndael A symmetric encryption algorithm that is a variant of AES. RFC 2401 The Request for Comment that defines the security architecture for IPsec. Roaming The process of moving between wireless access points. Reversible encryption An encryption method that can be decrypted. RFC 2406 The Request for Comment that defines the Encapsulating Security Payload (ESP) component of IPsec. A one-way hash is not reversibly encrypted. Risk The possibility that some incident or attack can cause damage to your enterprise. Symmetric or asymmetric encryption is reversible. Stands for Routing Information Protocol.11i pre-shared key mode. . root The username of the superuser account on a Unix computer.492 GLOSSARY Repudiated Denied. Risk analysis tool Software that systematically analyzes a system or network to identify vulnerabilities. RFC 2409 The Request for Comment that defines the Internet Key Exchange (IKE) protocol. Restricted sites zone The Internet Explorer and Outlook security zone that contains addresses that should be treated with more stringent security restrictions than address in the Internet zone. RFC 2402 The Request for Comment that defines the Authentication Header component of IPsec. RIP A routing protocol that sends routing update messages to other network routers at regular intervals and when the network topology changes. It supports both key and block sizes of any multiple of 32 bits between 128 bits and 256 bits. RFC 4306 The Request for Comment that defines IKEv2. Rolling backup See Mobile backup.

Stands for remote shell. and determining the viability of the primary processing infrastructure. Salvage team A team that is responsible for repairing.0. RPC is useful in setting up distributed. It has a self-signed certificate and is responsible for validating the CAs beneath it in the hierarchy. Rule-based access control A type of mandatory access control (MAC) in which rules determine access privileges. Stands for Security Accounts Manager database. Rooted A condition in which a backdoor has been installed. Routing and Remote Access Server (RRAS) The component of Windows Server 2003 that allows you to support dial-up and VPN access. RSA An asymmetric encryption algorithm developed by Ron Rivest. Salting The addition of random data to a message before it is hashed. Sanitizing a disk is a process of removing all previous contents from the disk. Ruleset See Filter. Adi Shamir. SAM database A database that stores user credentials on a computer running Windows NT 4. Sanitized The status required for a destination disk when creating a forensic disk image.GLOSSARY 493 Root CA The first CA you install. Rule base See Filter. It defines the scope of the plan and examines the company’s operations and support services. or Windows Server 2003. rsh A Unix utiltiy that allows you to execute shell commands remotely. Each side of the conversation requires a SA. Stands for system access control list. Windows XP. client-server-based applications. Stands for Secure/Multipurpose Internet Mail Extensions. Safe for scripting A security level for an ActiveX control. SACL The part of the security descriptor that dictates which events are to be audited for specific users or groups. The developer certifies that there are no properties that can be set in script in such a way that they do harm to the client computer. Safe for execution A security level for an ActiveX control. Scope and plan initiation phase The first step in the business continuity planning process. SA Information about the algorithms and key to use during an ESP transmission. RPC A Session layer protocol that supports procedure calls where the called procedure and the calling procedure might be on different systems communicating through a network. Stands for remote procedure call. and Len Adleman. cleaning. Windows 2000. RSA pseudorandom generator A pseudorandom number generator that is considered secure because cracking it requires factoring large numbers. salvaging. S/MIME A technology used to encrypt and digitally sign email messages. . The developer certifies that the control will not do anything harmful if it is embedded in a web page. Stands for security association.

Secure updates can only be used on Active Directory–integrated zones. A security descriptor includes a DACL. and the object owner. or printer that lists the users groups for whom access should be audited and the events that should be audited. Script kiddies An attacker who has little insight into the vulnerabilities or features of a system. and Windows Server 2003 that allows you to change your security context when running a specific application by launching the application using the Run As command. Security manager A part of the Java Virtual Machine that monitors what an applet does and prevents it from performing tasks that might be harmful. Security descriptor A part of an object that contains the security information for that object. Secure updates A type of dynamic update in which only computers that are members of the domain can create or modify its host record. file system object. Secrecy Protection of data belonging to an organization. Secure by default A characteristic of an operating system or application that ensures that when a user installs it using a default installation. a SACL. except that it transmits multiple streams of messages instead of a single stream of bytes (TCP can only send a single stream of bytes). Secure baseline A plan for applying the pieces of a trusted computing base to computers. but uses a script to launch an attack.494 GLOSSARY Screened subnet A protected area on the network that is used to run services that are shared outside the organization. Scripts Code that is executed by a scripting host or macro and does not need to be compiled as an executable. Secondary logon The feature in Windows 2000. Secondary network A network dedicated to accessing a computer for remote management. Windows XP. Stands for Stream Control Transmission Protocol. known security vulnerabilities are closed and features that might cause security holes are turned off. and therefore can be assigned access permissions. SCTP A protocol similar to TCP. Security Configuration Wizard (SCW) Microsoft Windows Server 2003 wizard that simplifies the configuration of a server that hosts one or more roles. See DMZ. Security Configuration and Analysis snap-in A Microsoft Management Console (MMC) snap-in that is used to analyze a computer's configuration against a security template. Secure Shell (SSH) A terminal emulation program that allows you to use strong authentication and encryption. Security access control list (SACL) A part of an Active Directory® object. . Securable See Object. Security group An Active Directory group that has an SID. Includes an XML database of recommended security settings for various roles.

Security Templates snap-in A Microsoft Management Console (MMC) snap-in that is used to create. A user. Service Level Agreement (SLA) An agreement in which a company promises that a resources will be available within a certain amount of time after an incident. Semi-private network A network that might carry confidential information and that has some regulations about who can access it. Can be located on a motherboard or expansion card. system failure. Sequence number A field in an ESP packet that allows the sender to determine whether the packet is part of a legitimate conversation or used in a replay attack. Self-signing The process in which a CA validates its own certificate. Security update A software update that fixes a security vulnerability. computer. view. Separation of services The security strategy in which each major service runs on its own host. Security principal An authenticated user or computer. Security template A file that contains a definition of security settings that should be configured for a computer. Serial Line Internet Protocol (SLIP) An early dial-up networking protocol that allows remote access using TCP/IP. Service processor A special processor that includes its own power supply and allows access to system management features if the kernel is not running. and stop the server. or group that can be assigned access to a resource. The ServerHello message selects the cipher to use and sends the client a certificate chain for authentication. or disaster. Security update infrastructure A system or set of systems that automates the deployment of security updates and service packs. and modify security templates.GLOSSARY 495 Security policy A document that defines the objects that should be protected and how that protection should be performed. . Server role The job a server performs on a network. start the server. Service bureau An organization that provides alternate processing services during an emergency. Server Operators An Active Directory built-in Domain Local group whose members can manage domain member computers. Self-propagation A method by which malware reproduces without requiring a user’s assistance. Server-side program A web component that executes on the web server and sends HTML to the browser. Also referred to as a patch. ServerHello A server's response to an SSL ClientHello message. serveradmin role A SQL Server fixed server role that allows members to modify server configuration settings.

Share permissions are only used to determine access when a user connects using Windows file sharing. Sessionless A communication in which each request is sent independently from all other requests between the client and server. Simple Mail Transfer Protocol (SMTP) A protocol used to send email. Simple file sharing A type of file sharing in which the Guest account is used to access files and the user is not actually authenticated. regardless of who is executing it. . Stands for set groupID program. WAPs broadcast the SSID. Shared folder A folder on a Windows computer that has been shared to the network. Session layer The layer of the OSI model that negotiates and establishes a connection with another computer. Session hijacking A type of man-in-the-middle attack in which an attacker captures traffic that includes either authentication credentials or an authentication cookie and then uses that data to impersonate the client. Session cookie See Nonpersistent cookie. Simulation test A test of the disaster recovery plan in which the response teams perform their response functions. but do not initiate recovery procedures. SGID program A program configured to run under a specific group account. computer. Shoulder surfing A social engineering attack in which a person looks over a person’s shoulder as the person types his or her password. or group. SHA-1 A standard algorithm for hashing data. The shift is used to build the table that serves as the key. Shadow copy A Windows Server 2003 and Windows Vista™ technology that saves multiple copies of a file so that a user can revert to a previous copy if a user error or file corruption occurs. Both the client and the WAP must use the same SSID. SFTP A protocol that is replacing FTP. SID A machine-readable unique identifier for a security principal. Shift The offset in a substitution cipher. Share permissions Permissions that protect a network share. Also referred to as a walk-through drill. SFTP is a client that is similar to FTP and uses SSH or SSH-2 to provide secure file transfer. Shiva Password Authentication Protocol (SPAP) A legacy remote access authentication protocol in which passwords are transmitted using a reversible encryption format. by default.496 GLOSSARY Service set identifier (SSID) An identification number that clients use to connect to a wireless network. It provides increased security because it includes strong encryption and authentication. However. Stands for security identifier. such as a user. Stands for Secure File Transfer Protocol. Signature-based IDS An IDS that uses attack signatures to characterize an attack. Activity is compared against the attack signature database to determine whether suspicious activity is occurring.

The responses flood the spoofed sender’s address and make it too busy to respond to legitimate requests. Stands for Simple Mail Transfer Protocol.GLOSSARY 497 Single point of failure A weakness in a network that can cause a resource to be unavailable because the component’s function is not redundant. SLIP A legacy protocol that defines a sequence of characters that frame IP packets on a serial line. Smurf attack A type of denial-of-service attack in which the attacker sends an ICMP echo request with a spoofed sender address to a broadcast address of a network. SMB signing The process of adding a keyed hash to each SMB packet to provide authentication and integrity. not computers. but not confidentiality. A social engineering attack is one in which the attacker convinces a victim to provide information. Stands for Server Message Block signing. It is a tool used by network administrators to manage the network and detect problem areas. this type of authentication is known as two-factor authentication. Stands for Simple Network Management Protocol. It is used for point-to-point serial connections running TCP/IP. Sockets Programs used to access the TCP/IP protocol services. Single sign-on The ability for a user to gain access to multiple servers by authenticating a single time. SMTP An Application layer protocol that supports the transmission and reception of email. used by SSH. A user must have the card and know the PIN number in order to be authenticated. such as a password. Slogin The secure version of Rlogin. Stands for Serial Line Internet Protocol. Stands for Server Message Block. SNMP An Application layer protocol that supports the exchange of management information among network devices through a management entity that polls these devices. Single-key encryption See Symmetric encryption. Slack space Space in a cluster that is left over when a file does not require the entire cluster. Smart card A special card contaning a chip that can store digital certificates and private keys. Site A grouping of computers that usually represents a geographic location. Spam Unwanted email. Software Update Services (SUS) A freely downloadable server application that can be used to download updates from the Windows Update website for approval and distribution. such as dial-up or dedicated serial lines. that can be used to launch an attack. . Slag code See Logic bomb. SMB A protocol used for file sharing on a Windows network. Spam can include email containing malware or advertisements. Social engineering An attack that involves people. Spam DoS attack A denial-of-service attack launched by sending so much spam using a forged address that it overloads the mailbox of the forged address and prevents the legitimate use of the address or causes the forged address to be blacklisted.

Stands for Security Parameters Index. so is more secure than its predecessor. Stands for Secure Shell.498 GLOSSARY Spam filter Software that attempts to identify spam based on the content of the message and other information it can gather about the message or its sender. Spyware An application that gathers information about a workstation or user. Special Administration Console (SAC) An EMS remote management console that can be used as long as the kernel is running and that allows you to issue user mode commands. SPX A protocol maintained by Novell that provides a reliable. but provides only limited capabilities. SPI A 32-bit field in an ESP packet. and confidentiality. . Stands for Sequenced Packet Exchange. and the security protocol (ESP). The information gathered is most commonly used to launch advertising campaigns. Stack An internal structure where the operating system places the commands that should execute in a last-in-first-out (LIFO) order. the destination IP address. but could sometimes be used for identity theft. SSH-2 The latest version of SSH. SSL Record Layer The component of SSL that fragments and encrypts data. SRV record A record that identifies a computer that provides a specific service. Spammer A person or organization that sends spam. but that in actuality displays pop-up advertisements. Stand-alone CA A CA that is not integrated with Active Directory. SpyBlast A browser parasite that claims to locate and eradicate spyware. Telnet. SSH A secure remote administration technology for Unix that provides authentication and encrypted transmission (over TCP/IP). SSL A protocol that resides between the Transport layer and Application layer of the protocol stack to provide authentication. SSL Plaintext records The data in an SSL transmission that has been broken into fragments but not yet encrypted. integrity. SQL injection attack A type of attack against a database server in which the attacker enters data in a field that causes a dynamically constructed query to execute malicious commands. SSL Handshake Protocol The component of SSL that agrees on the cryptographic parameters for the session. Spoof The act of pretending to be someone or some computer that you are not. Spooled A condition in which a print job is temporarily stored on the hard disk while waiting to be sent to the printer. !Special Administration Console (!SAC) An EMS remote management console that runs when SAC cannot. connection-oriented transport service. uniquely identifying the security association for the datagram. Stands for Secure Sockets Layer.

Substitution cipher A cryptographic algorithm in which each letter in the plain text is replaced by a different letter to create the cipher text. Striping with parity See RAID 5. . Structured walk-through test See Tabletop exercise. Stream cipher A symmetric encryption algorithm in which each byte in the plain text is processed with the bytes preceding it. One way to manage state is by using cookies. String buffer A memory location set aside to store a specific number of characters. Striped RAID 5 arrays See RAID 50. Structured Query Language (SQL) The ANSI standard relational database query language. Subordinate CA A CA that has a certificate signed by another CA in the hierarchy. set the Execute bit to t instead of x. Store and forward server An email server that stores messages until they are picked up or routed to the next stop in the route to their destination. Statistical anomaly IDS An IDS that profiles normal usage patterns and compares them with the current usage pattern to detect suspicious activity. Striped RAID 6 arrays See RAID 60. Usually an individual or a process.GLOSSARY 499 State Information about the current session between a web browser and a website. Striped mirror See RAID 1E. Stealth mode A wireless access point mode in which the SSID is not broadcast. To set the sticky bit. Stateful inspection See Stateful packet filtering. Strong password A password that is difficult to guess or crack using a dictionary or brute force attack. A storage area network uses either fibre channel or iSCSI for communication. so the client must be manually configured with the SSID in order to connect. Storage area network (SAN) A network that includes storage devices that can be shared among servers. Stateful packet filtering A firewall technique that uses a table to keep track of connection pairs and that compares each packet against that table. STRIDE threat model A list of threat categories created by Microsoft. Sticky bit A Unix permission bit used to prevent a file from being deleted. String signature A text string that indicates a possible attack. State table The table that stores connection information in a stateful inspection firewall. Subject An entity that is granted or denied permission to use an object. Striping with dual parity See RAID 6. Striped RAID 1 arrays See RAID 10.

. Symmetric master key A key that is known by the authentication server and client station for the positive access decision. then impersonates a client by changing the source IP address in a packet and changing the sequence number to a best guess based on the attacker's legitimate request. System state backup On a Windows computer. Switch A network device that limits the traffic to the destination associated with a specific port. Tasklist A Windows command-line utility that allows you to view a list of running processes. A switch can be used to create smaller broadcast domains. Tag An identifier used to group computers onto a VLAN. TCP A highly reliable. twofactor authentication. Stands for Transmission Control Protocol. Tail-log backup A backup of a relational database transaction log that is taken immediately before performing recovery. Also referred to as a structured walk-through test. Task Manager The Windows utility that allows you to view a list of running processes. Systems Management Server (SMS) A comprehensive change management and configuration solution that can deploy applications and manage security updates and other assets. Systat A Unix troubleshooting tool that reports information about the processes running on a system. svchost. superuser The all-powerful user on a Unix system (root user). the backup of the operating system configuration. regardless of the user who is running it. and improved auditing. SYN message A packet used to request a conversation or to synchronize sequence numbers. Stands for set userID program. Support_388945a0 A built-in Windows user account used by the Help and Support feature.500 GLOSSARY SUID program A program configured to run under a specific account. It is normally disabled.exe A Windows application that allows multiple services to run within its context. Symmetric encryption A method of encryption is which the same key is used to encrypt and decrypt the data. including the services running under each process that hosts multiple services. connection-oriented protocol used in communications between hosts in packet-switched computer networks or interconnected networks. TCP session hijacking An attack in which an attacker opens a legitimate connection to a server to obtain a sequence number. TACACS؉ An enhancement to TACACS that provides dynamic passwords. Tabletop exercise A test of the disaster recovery plan in which members of the emergency management group discuss their responsibilities and step through the plan verbally.

Temporary file A file created by an application. and Windows. Third-party cookie A cookie that is downloaded from one domain and that sends data back to another domain. it does not provide authentication or accessing of directories. and one on the internal network. Threat An action by an adversary that tries to exploit a vulnerability to damage assets. Three-pronged configuration A perimeter configuration in which a device has three network adapters: one on the Internet. Terminal emulation A program that allows a user to execute commands on a remote system. Terminal concentrator A hardware device that contains a number of serial ports and that can be used to connect multiple servers for EMS management. The wild A term used to refer to a public network. Stands for ticket-granting ticket. TFTP Reduced version of FTP. Terminal Services An earlier version of Remote Desktop for Administration used in Windows 2000. Mac OS X. Linux. Telnet A remote administrator protocol that operates in clear text. cookies. The Sleuth Kit A freely downloadable set of command-line forensics tools available for Unix. Terminal Services is also supported in Windows Server 2003 for running applications remotely. such as event logging. Telnet presents a security risk. such as the Internet. TGT An object that is presented to the ticket-granting service to request a ticket for another server. Stands for Trivial File Transfer Protocol. one on the screened subnet. Stands for ticket-granting service. Temporal Key Integrity Protocol (TKIP) A strategy for managing wireless network encryption keys that is based on the WEP algorithm but eliminates some of its vulnerabilities. Terminal Access Controller Access Control System (TACACS) An authentication protocol that provides centralized remote access authentication and related services. They can include graphics. Also A terminal emulation program that sends data in clear text. Usually deleted when the application is closed.GLOSSARY 501 TCP SYN flooding attack A denial of service attack in which a large number of SYN packets is set to a server without completing the conversation initiation handshake. Temporary Internet files Files downloaded from a website by a browser. sometimes they remain on disk. and other files. . TCP/IP model A layered model that defines the layers at which the members of the TCP/IP protocol operate. Temporal key A key that protects transmitted data and varies with time. Similar to RADIUS. TGS A Kerberos service that is responsible for supplying the client with a ticketgranting ticket (TGT).

Transport layer (OSI model) The layer of the OSI model that supports reliable end-to-end delivery of data. TIFF A public domain raster file graphics format. Transport layer (TCP/IP model) See Host-to-Host layer. implementing. It does not handle vector graphics. Translation table In NAT. a table that maps public IP addresses to internal private IP addresses. Total cost of ownership (TCO) The total cost of purchasing. Transport mode An ESP mode in which the upper-layer protocol frame.502 GLOSSARY Throughput rate The rate at which the system processes and identifies or authenticates individuals. Stands for Tagged Image File Format. Trusted computing base The total combination of protection mechanisms in a computer system. Trojan horse A program that masquerades as a legitimate program. Trust relationship An association that allows computers and users in Domain A to trust computers and users in Domain B based on its authentication by an authentication server in Domain B. TIFF is platform-independent and was designed for use with printers and scanners. Transaction log A file that stores changes to data in a relational database before they are written to the database. Trusted host A Unix host that is trusted because the user name is the same on both the local and remote computers. Trojan horse applications Software that pretends to be legitimate applications. Provides end-to-end encryption. but not the IP header. Trusted sites zone The Internet Explorer and Outlook security zone that contains addresses that should be treated with fewer security restrictions than the Internet zone. supporting. is encapsulated. . Tunnel To send data through an unsecure network by encapsulating the data inside protocol headers and trailers. Trusted zones DNS domains that for which Internet Explorer® enforces fewer restrictions. Transactional data Data stored and managed by a relational database management system. and maintaining a computer. Time bomb A logic bomb that uses a date or time as the triggering event. while performing a covert function that is usually malicious. TLS The latest version of SSL. Trapdoor See Backdoor. Transaction Signatures (TSIG) A cryptographic signature that verifies the identity of a DNS server receiving a zone transfer. Stands for Transport Layer Security. but actually performs malicious tasks. Transaction log backup A backup of a relational database transaction log.

UrlScan An ISAPI filter that screens and analyzes URLs and other web server requests before Internet Information Services (IIS) processes them. Type II error See False acceptance rate. The path. Unicast packet A packet that is sent to a single computer. Its members can be accounts. User-based access control A method in which a user is authenticated and the user’s SID is used to determine resource access permissions. Type 3 authentication A type of authentication in which the credential you provide is something you are. Two-factor authentication A type of authentication in which you must present two different authentication factors—for example. Uniform Resource Locator (URL) The path to a web site. User-directed discretionary access control A type of discretionary access control in which a user can alter access privileges. This mode allows gateway-to-gateway security for hosts that are not IPsec-aware. UID A 16-bit number that identifies a user on a Unix computer. Stands for user identity. Stands for User Datagram Protocol. Biometrics is an example of type 3 authentication. Universal group An Active Directory group that is available in native mode domains only. It takes the form protocol:\\hostname_or_IPaddress\\path\filename?querystring. UDP An “unreliable” protocol in that it transmits packets on a best-effort basis. something you have and something you know. UOWHF A hash function that is resistant to hash collisions. Users An Active Directory built-in Domain Local group whose members have limited access in the domain. Type 1 authentication A type of authentication in which the credential provided is something you know. The most common example of type 1 authentication is using a password.GLOSSARY 503 Tunnel mode An ESP mode in which the entire IP datagram is encapsulated within an outer IP datagram. Type 2 authentication A type of authentication in which the credential you provide is something you possess. Type I error See False rejection rate. User mode access Access to commands that run under the context of a user and that can access memory available to user processes. and query string are optional. utmp command Unix or Linux command that records accounting information used by the who command. Unused IP space Unassigned addresses in an IP subnet. Global groups from any domain. it does not provide for error correction or for the correct transmission and reception sequencing of packets. Stands for Universal One Way Hash Function. filename. . and other Universal groups.

Similar to a risk assessment. Virus signature A pattern of bits inside a virus that the antivirus program uses to identify it.504 GLOSSARY Verb A type of HTTP command that tells the web server to perform a specific action. VLAN 1 The default VLAN to which a host belongs if no tag is specified. Vulnerability assessment Performed during the business impact assessment. Virtual private network (VPN) A secure tunnel through a non-secure network such as the Internet. Visual Basic script (VBScript) A script written in the Visual Basic® scripting language. VLAN A logical network segment that is defined by grouping computers based on organizational requirements instead of on physical location. Volume shadow copy The Windows technology that allows a file to be backed up even if it is in use. Vulnerability scanner See Risk analysis tool. Volatile data Information that is destroyed when a computer is shut down. To network clients. War dialers Devices that automatically dial phone numbers looking for a remote access server. it is accessed as if it is a physical server. Visual Basic is a programming language that evolved from BASIC. . A virus requires a host to transport it from computer to computer. Vigenere cipher A cryptographic algorithm in which a repeating keyword is used as the key for generating the cipher text. War chalking The process of leaving a mark on a building or sidewalk to let others know the location of an unsecured wireless access point. Virtualization The process of installing multiple virtual machines on a single physical host. Virus Code that attaches itself to legitimate software. Stands for virtual local area network. such as routers and firewalls. Virtual machine Runs an operating system and one or more applications. Often used by attackers to transfer pirated software. Walk-through drill See Simulation test. VLAN hopping An attack in which the attacker modifies the VLAN ID (tag) on a packet to bypass Layer 3 devices. such as an application or data file. War driving The process of searching for unsecured wireless access points by driving around with a wireless network card and software that can detect unsecured access points. Warez list A list of anonymous FTP and vulnerable writable directories. VLAN ID See Tag. Vulnerability A weakness of a system that could be accidentally or intentionally exploited to damage assets.

Wired Equivalent Privacy (WEP) An encryption method for wireless networks that authenticates users based on their knowledge of a shared secret and uses that shared secret along with an initialization vector to encrypt message packets. Windows Server Update Services (WSUS) The latest enhancement to SUS. Well-known ports Ports numbered between 0 and 1024 that are identified with a specific TCP/IP Application layer protocol.GLOSSARY 505 Warm site A backup site that has most peripheral equipment installed. create a hash. but also those for supported Windows applications. WinHex A forensics utility for Windows that can be used to sanitize a disk. the IV is transmitted in clear text. who command A Unix or Linux command that displays the users who are logged in to the computer and when the connection began. A WAP can allow clients to connect in infrastructure mode and can act as a bridge to a wired network. Wireless fidelity (Wi-Fi) A general term used to describe a wireless network that connects two or more computers. Applications on the Internet can interface with Windows Live to authenticate users. Windows update A website hosted by Microsoft that contains the latest service packs and patches for Windows operating systems and some Microsoft applications. and the IV must be reused frequently. Windows Internet Name Service (WINS) server A server responsible for resolving NetBIOS names to IP addresses. This tells the attacker that the email is being opened. It might also display the name of the computer where the user is logged in interactively. WiFi Protected Access (WPA) An authentication and encryptions strategy for wireless networks that prevents some WEP vulnerabilities but provides backward compatibility with existing hardware. Well-known SID An SID used on every computer or in every domain. WEP open authentication A WEP authentication method in which the client is authenticated solely on the basis of its knowledge of the SSID. and make a bitstream copy. WINS replication The process of copying WINS records from one WINS server to another. Wi-Fi® See Wireless fidelity. For example. WEP shared key authentication A type of challenge-response authentication used with WEP. . Web beacon A link to a graphic or other resource on a web server that logs the email addresses that open the link. It is inherently weak because the challenge string is transmitted as clear text. Windows Live authentication A public central authentication server that issues credentials to users on the Internet. Wireless access point (WAP) A networking device for a wireless network. but the principal computers are not installed. Windows Backup The backup utility included in Windows operating systems. the Everyone SID is always S-1-1-0. WPA uses TKIP. It can deploy not only updates for operating system.

Zone transfer A method of sharing DNS records with one or more other DNS servers. Word salad A technique to try to circumvent spam filters by inserting random or nonsense words into the body of a message.11 standard. .509 certificate An electronic document that contains information about its owner. X. Written security policy Set of written laws. Write blocker Hardware or software that prevents a hard disk's contents from being modified. XOR function A binary operation performed on two strings of bits. and practices that regulate how an organization manages. Zombie A host on which a Trojan horse is installed in order to launch a distributed denial-of-service attack. X-Ways Forensics A forensics tool kit for Windows. If the bits are different. rules. Worm Malicious code that is self-propagating and exploits a vulnerability in a program. Zone A container on a DNS server that corresponds to a DNS namespace. wtmp command The Unix or Linux command that stores information about each time a user logs in or logs out.506 GLOSSARY Wireless LAN (WLAN) A LAN that uses a wireless connection medium based on an 802. A zone contains DNS records. the result is a 0. and distributes resources to achieve specified security policy objectives. the result is a 1. and the signature of a validator. If the bits are the same. the public key of its owner. protects.

455 %systemroot%. 131 Access client. cryptographic. 338. 304 web servers. 139–40 Account Logon. 150–51 examples. 32 American National Standards Institute (ANSI). 158 Accountability. 161–63 Windows overview. 165–71 mandatory access control. 15 Anonymous access. 161. 174 Unix principals. 298. 21 ARP (Address Resolution Protocol). 238 Access control. 340 ADI (Active Directory-integrated) zones. 34. 301–03 overview. 324–25 ActiveX controls. 299 Access control settings. 64 Application servers. 150. 189–90 ACL (access control list). securing database servers. 277 Active node. 153. 6. 161. 120 802. 453 > operator. 447 introduced. 151. 337 Active Directory authentication. 340 A A record. 169–71 Administrators. 173 Access control list (ACL). 161. 140 Account operators. 173. 349 Add-ons. 324–25 Ad hoc mode. 173. 161. 170 || symbol. 301 American Standard Code for Information Interchange (ASCII). 33–34 TCP/IP model. enabling. 13 Access tokens. 124 client extensions. 9–10 acct command. 322 AH (authentication header). 41–42 Application proxy firewalls.1x configuration. 163–64 reversible encryption. 288 integrated zones. 206 AirSnort. 123 Anonymous FTP. 295–96. 161. 227–28 routing and remote access service. 150. 324 Address Resolution Protocol (ARP). 35 Applets (Java). 37 Address Resolution Protocol (ARP) spoofing tool. 123–25 Application layer OSI model. 150 principle of least permission. 319 Analysis paralysis. 110 object permissions. 162–63 Account Lockout policy. 22 Unix objects. 248–50 forest. 425 Active Server Pages (ASP). 163–64 discretionary access control. 338. 224. 317 AppleTalk Session Protocol (ASP). See also Authorization and access control Active Directory object permissions. 325–26 Application authentication. 234 Algorithms. 297 Anti-malware. 240 ADAM (Active Directory Application Mode). 225 Active Directory Application Mode (ADAM). 277 Administrative (hidden) shares. 158 Advanced Encryption Standard (AES). 173. 298–300 Appropriate use policy. 172–73 Windows model. 173 Acknowledgement (ACK) message. 277 . 75 "All People Seem to Need Data Processing" pneumonic. 317–18 Antivirus software. 299 ActiveX.INDEX $ character. 158 Group Policy. 180 files and folders. 154 role-based access control. 133 database. 87–88 Adware. 280 Acceptability. 317 Anti-spyware. 299 Acrobat Reader. 154–61 Access control entries (ACE). 37 ARP (Address Resolution Protocol) spoofing tool. 162. 162. 151–52 overview. 369 ACE (access control entries). 154 Windows principals. 176–81 Unix overview. 151. 152–53 standards. 349 Active Directory-integrated (ADI) zones. 174–75 user rights assignment. 161. 203–04 ~ character. 446.

151–52 models. 130. 159 Backup sites. 295 monitoring. 119. 367–68 Unix. 3 tree. 414 tools. 136 Authenticator. 8. 153. 341–42. 361. analysis. 22 Asymmetric encryption. 339–41. 368–69 Windows. 18. 207 Authentication header (AH). 119 examples. 136 Authorization. 196.NET. 89. 80. 174 Unix principals. 407–08 system configurations. 135. 366 security templates. 303 definition. 409–10 overview. 370 Auditing baseline templates. 173. 4 Attacks. 359 definition. 292–93. 4 brute force. 6. 154 role-based access control. 406. 161. 136. 197 Backup Operators. 405–06 scripts. 154 Windows principals. 370. 20. 328–29. 55–56 Baseline template. 35 ASP. 64–65 profile. 299 ASP (AppleTalk Session Protocol). 163–64 examples. 442–43 firewalls and. 14–15 Audit. 127. 206 Authentication service (AS). 457 Autorun macros. 413–14 frequency. 343 replay. 15 smurf. 4–5 spam. 319 ASP (Active Server Pages). 125–31 definition. 312 Availability. 150 overview. 408–09 types of backups. 142–43 interactive logon. 136–41 protocols. 120–21 credentials. 366 Audit logs/audit trails. 301–03 TCP session hijacking. 98 computer. 154–61 Authorizing entity. 121–22 overview. 150. 408 testing recovery. 360 Autopsy Forensic Browser. 435 Attackers evidence left behind. 342 response to. See Honeypots man-in-the-middle. 119 Authorization and access control Active Directory object permissions. 182 principle of least permission. 369–71 Authentication application. 12. 342–45 SQL injection. 131–36 strategy. 128. 90–92. 9 hijacking. 366 files and folders. 327–28 honeypots. 14 buffer overflow. 265 configuration. 314–15 Back-to-back configurations. 8–9 B Backdoors. 407 requirements. 99 Attack signature database. See Wired equivalent privacy (WEP) Authentication data. 136 ASCII (American Standard Code for Information Interchange). 34. 410–11 Backups. 174–75 Windows model. 16. Server security automated. 401–02 Backup strategy assigning responsibility. 152–53 Unix objects. 285. 143 password and account best practices. 150 Automatic Updates (Windows). 180 mandatory access control. 367 Automating updates. 119–20 mutual. 189–91 against third parties. 11 denial-of-service. 269 standards and guidelines. See Denial-of-service (DoS) attacks dictionary.508 INDEX AS (authentication service). 411–13 media selection for. 123. 368 security audits. 367–68. 265 Baselines . 337–39. 226–27 wired equivalent privacy. 129–31 in CIA. 294. 161–63 Windows overview. 9 social engineering. 299 Assets. 123–25 biometrics. 340 phishing. See also Malware protection. 176–81 Unix overview. 14 flooding.

99–100 designing hierarchy. 277–78 Biometrics. 64 example. 84–85 substitution. 205 Characters. 223–24 Change control. 263–64 virtualization. See Certificate authority (CA) Cache poisoning. See Risk analysis Callback option. 77 Buffer overflow attack. 124 Bastion host. example. 85–88 Blocking ports. authentication). 101–02 Certificate revocation list (CRL). 402 chgrp command. cryptography. 64–65 network address translation. 33 BIND name server. 103–07 from other organizations. 75–77 Vigenere. 80. 66 firewalls. general. 358 ChangeCiperSpec message. 34 Border security application proxy firewalls.INDEX 509 example. 198 Broadcast packets. 58–60. 85–88 historical. 54–55 CER (crossover error rate). 87 CGI (Common Gateway Interface). 122 ClientHello message. See Web browser security Brute force attack. 139. 107 Challenge Handshake Authentication Protocol (CHAP). 203 . private. 195–96 Behavior-based IDS. 313 Browsers. 22. 87 Cipher spec. 23 network security. 272–73 secure. 303 Business continuity planning. 128–29 Certificate path. 273–74 Basic authentication. 131 Certificate authority (CA) definition. 100 Certificates digital. 228 CAPolicy. 330–31 Certification Practice Statement (CPS). 108 Certificate requests. 65–67 overview. 136–41 compliance with standard. 47–48 CBC (cipher-block chaining). 82 Chargen. 359 Clearance. 180 chmod command. 344 Block ciphers. 57 packet-filtering firewalls. 86 Ciphers block. 107 Certificate policy. 281–83 Calculating risk. integrity. 264 Security Configuration Wizard. 62–63 "Break the stack. 435–36 Berkeley Internet Name Domain (BIND). 111–12 smart cards. 227 Challenge-and-response. 299 Chain of custody. 60–62 perimeter defense. 108–09 PKI role. 272 implementing. 449 Blacklist. 202 Cipher text. 51 Checklist review. 77–78 CIs (configuration items). 76 Cipher-block chaining (CBC). 105 secure socket layers. 110–11 revocation. 61 Browser parasites.inf file. 45–49 risk analysis. 108 Castle security metaphor. 86 CD-ROM drives. 151 Client certificate. 99–100. 58 segmenting a network. 397–99 C CA. 79 one-time pad. 202. 270–71 security templates. 52–53 Blum-Blum-Shub pseudorandom generator. 104–05 renewals. 97–99 Cipher feedback (CFB). 33 Best practices authentication. 78–79 stream. 445 Chain of trust. 14 Brute force methods." 303 Broadcast domain. 396–99 Business impact assessment. 24 BIND (Berkeley Internet Name Domain). 111–12 Certificate templates. 311 BootP. 265–69 trusted computing base. 179 chown command. 223–24. 265 Linux servers. 129–31 Bitstream image. 180 CIA (confidentiality. 101 public vs. 57–58 stateful packet-filtering. example. 108 CFB (cipher feedback). 18 security policy. 81 Boot sector viruses.

83. 359 Configuration items (CIs). 47–49 Deleted files. 58. achieving. 301–03 Db_backupoperator roles. authentication (CIA). 111–12 Cross-certification. 311 Complement value. 83–90 XOR function. 150–51 DACL (discretionary access control list). 396–99 Cookies. 153 DCBP (Domain Controller Baseline Policy). 2. 153 Custom templates. 426 Code Red 2. 313 Decryption. 97–99 Configuration. 23 Computationally secure. 119–20 CRHF (Collision Resistant Hash Function). 268–69 Cyclic redundancy check (CRC). See also Cryptography Confidentiality. 64–65 infrastructure design. 8 Continuity planning. 359 Connectionless protocol. 33. 299 Communication procedure disaster recovery. 450–57 transmission. 434 CSIRT (Computer Security Incident Response Team). See Cryptography Default permissions. 36 Connection-oriented protocol. 84 Computer authentication.510 INDEX Clipping levels. 359 Configuration control. 403 Confidentiality. 12 encapsulation. 161–62 DAS (direct attached storage). 401 Collision Resistant Hash Function (CRHF). 403. 359 Configuration management. 94 CRL (certificate revocation list). 120–21 Computer Management MMC. 192 CPS (Certification Practice Statement). 75 examples. 167 Defense-in-depth principle. 312 Credentials authentication. 60 CRC values. 378 dd Utility. 49–59 Configuration auditing. 81–82 CSIRP (Computer Security Incident Response Plan). 404–05 Compiled. 140–41 firewall installation. 80. 331–34 Costs account risk analysis. 423 Data alteration. 96. 195 . 449 DDoS (Distributed Denial-of-service) attacks. 192 risk analysis. 99–112 symmetric encryption. integrity. 82 CIA. 84 Data Link layer. 403. 201–05 Database servers restoring. 94 Common Gateway Interface (CGI). 46–47 Countermeasures description. 94. 36 Consistency. 412 securing. 112 history. 171. 425. 190 backing up. 8 searching for on hard drive. 80. 16 security design. server. 108–09 Crossover error rate (CER). 449 Compliance. 75. 11. 113 primitives. external. 153 Dbcreator roles. 131 Cryptanalysis. 359 Configuration identification. 153 Db_securityadmin roles. 90. 328. 378 dcomcnfg. 16–19 TCP SYN flooding attacks. 368 Clustering. 99. 109. 303 Code Red Worm. 92. 76 Cryptographic mechanisms. 90–92 characters (fictional examples). 193–94 Data Encryption Standard (DES). 108 Crackers. 403 Custom roles. 453–55 Demilitarized zone (DMZ). 434 Computer Security Incident Response Team (CSIRT). 97–99 definition. 75 Cryptanalysts. 289 DCOM (Distributed Component Object Model). 312 D DAC (discretionary access control). 6–7. 125–31 definition. 75–79 MMC. 80. 75 Cryptography asymmetric encryption. 10 Cryptographic primitives. 79–81 public key infrastructure. See Backup strategy definition. 327. 377 overview. 377–78 Computer Security Incident Response Plan (CSIRP). 31 integrity. 303 Cold site. 37–38 Data transmission protection protocols. 357–60 Configuration status accounting.

89 Discretionary access control (DAC). 396. 427 planning for. 105 Digital Signature Algorithm (DSA). 251 re-keying. 223–28 examples. 413–14 backup types. 228. 275 DNSUpdateProxy group. 250–51. 51. 276 likelihood. 92. 411–13 backup requirements. 167 EFS (Encrypting File System). 226 EBCDIC (Extended Binary Coded Decimal Interchange Code). 94. 222–23 Dictionary attack. 46–47 Determinate chain of notification. 407–10 backup responsibilities. 195 DNS (domain name system). 284 DHCP servers. 51 Edge Transport. 275–83 Domain principals. 159 Domain Controller Baseline Policy (DCBP).1Q. 13 WINS servers. 8–9 definition. 120. 3–4. 135 Emergency Management Services. 284–87. 190 example. 417 Disk stripping (RAID 0). 288. 235 limiting access. 159 Domain Computers. 54–55 Dynamic DNS updates. 229–30 protocols. 280–81 E EAP (Extensible Authentication Protocol). 33. 406. 51. 341 Direct attached storage (DAS). 425 DHCPINFORM message. 296 DSA (digital signature algorithm). 150–51 Discretionary access control list (DACL). 159. 17–18 incorrect zone data. 445 Documentation control. 400 Discrete logarithm problem. 14 Differential backup. 343–44 as threat. 252 RADIUS.1x standard Active Directory configuration. 399–403 testing recovery. 436–37 spam. 214 Digital signatures. 360 Domain. 10. 89. 192–93 security systems. 403–06 securing network transmission. 247–48 Protected Extensible Authentication Protocol. 383–89 failover solution. See also Fault tolerance backup frequency. 404–05 DFS (Distributed File System). 285–87 Dynamic Host Configuration Protocol (DHCP) servers. 158–61 Domain name system (DNS). 214 Dumps memory. 120 Domain Admins. 274. 33. 403–06 overview. 414 Disaster recovery plan. 417 Distributed Component Object Model (DCOM). 86 Echo. designing. 67 Dynamic updates. 161–62 Disk mirroring (RAID 1). 90 Digest. 414 incident response procedures. 378 Distributed Denial-of-service (DDoS) attacks. 289–92 Domain Guests. 159 DoS attacks. 410–11 business continuity planning. 284 Dial-up networking authentication protocols. 291 Domain name system (DNS) servers. 81 DES (Data Encryption Standard). 288. 274. 425–27 incident response procedure. 124 Digital certificates. 282 DNS namespace. 396–99 examples. 247–48 wireless network vulnerabilities. 313 Distributed File System (DFS). 198 802. 90 802. 157 Domain Users. 34 ECB (electronic code book). 254 . 284–87. 385–86 Disaster recovery. 84 Design client authentication. 93 Digest authentication. 99–100. 19 Network-based IDS (NIDS). 349 Effective permissions. 423 Direct serial connection.INDEX 511 Denial-of-service (DoS) attacks availability. 291 DHCP scopes. 384 DVD drives. 159 Domain Local groups. 410 Diffie-Hellman key exchange. 425 Dynamic outbound packets. 248–50 description. 156. 291 DMZ (demilitarized zone). 281. See Denial-of-service (DoS) attacks DREAD methodology. 291 DNS cache. 189 description. 287 Depth. 228–29 preventing access. 16 Drop-off directories. 274. 396. 289 Domain controllers. 286 Documentary evidence. 58.

222 Encapsulating security payload (ESP). 197 bastion host. 456 Email replay attack. 452–53 Unix security attributes. 110 Enrollment time. 198 Forensics. 318 secure socket layers. See also Intrusion detection (ID) data searching on hard drive. 55–56 False acceptance rate (FAR). 153 Fixed server roles. 444–45 Forward lookup. 165–71 hidden. 175 /etc/passwd. 342 Email security architectural considerations.11i standard. 13 Fixed database roles. 423–24 Fault tolerant solution. 343 replay attacks. 402 Event logs. 291 FTP (File Transfer Protocol).512 INDEX 802. See Files and folders Footprint. 415 Fault-tolerant computing. 338 Evacuation drills. 448–49 overview. 339–41. 444–45 Extended Binary Coded Decimal Interchange Code (EBCDIC). 13 Email header. 421–23 RAID levels. 291 File servers.11a. 64–65 lack of. 175 Ettercap. 195.11g. 239 802. 51 FTP servers. 416 Storage area networks.11b. 33. See also Firewalls Finger. 337–39. 8 Fibre Channel. 341–42. 226 External consistency. 120 temporary Internet. 455. 239–40 802. 370 Everyone group. 33. See Cryptography Enforce password history. 252–53 Electronic code book (ECB). 86 Elevation of privilege. 130 Fault tolerance. See also Disaster recovery definition. 425 Failover solution. 336. 336 phishing attacks. 34 Extensible Authentication Protocol (EAP). 201–02 TCP session hijacking. 347–49 email header. 131 Enterprise CA. 456 example. 450–57 definition. 197 weak. 453–55 designing access control. 280 Frequency analysis. 130 FRS (File Replication Services). securing. 416–21 single points of failure. 137 Enigma (encryption machine). 196. 435. 153 Flooding attacks. 168 Evidence. 292–93 simple sharing. 19 personal. 458 understanding evidence. 79 Enrollment strategy. 58–65 disadvantages. 110 ESP (encapsulating security payload). 196. 239 802. 130 False positives. 56. 191 three-pronged configuration. 8. 367–68. 339–41. 368 Firefox. 415. 451–52 securing file servers. 457 gathering evidence on a live system. 206–08 /etc/group. 51 finger command. 9 Floppy drives. 206–08 Encrypting File System (EFS). 345–46 man-in-the-middle attacks. 415–16. 426 failover solution. 342 spam. 334. See also Integrity F Failover. 338 Firewalls back-to-back configuration. 436. securing. 426 storage. 444. 445–48 hard drive image. 51 Files and folders backing up. 340 overview. 427 RAID hardware and software. 374. 295–97 . 55 Folders and files. 174 /etc/profile. 179–81 Filters. 425–27 Failover system. 455. 263 example. 438 False rejection rate (FRR). 292–93 File Transfer Protocol (FTP). designing. 444 examples. 425–27 overview. 424 File Replication Services (FRS). 349 malcode propagated by. 449. 342–45 Emergency Management Services (EMS). 90 Encryption. 413 deleted. 383–89 Encapsulating. 60. 196 as border security. 332. 76–77 FRR (false rejection rate).

92. 192–93 . 193 Hardware-assisted software RAID. 162 In-band remote management. 401 Hot space (RAID 5EE). 422–23 Header condition signatures. 125 Identity theft. 408. 408. 408 Full-interruption test. 231 Group identities (GIDs). 266 Index Server service. 274 Host record. 94. 231 Ghost. 451 Hidden files. 422–23 Host name. 275–76 Incremental templates. 303 Information disclosure. 158. 402 Functional drill. 209 ILOVEYOU virus. 448–49 Hardware as asset. 402 Full-scale exercise. 35 Hypertext Transfer Protocol over SSL (HTTPS). 455. 288 Group Policy Objects (GPOs) computer authentication. See Group Policy Objects (GPOs) GRE (Generic Routing Encapsulation). 94 disabling LAN Manager. 373 Inbound remote management. 442–43 Honeypots appropriate use of. 435. 276 Information Systems Audit and Control Association (ISACA). 419 Hot spare. 436 Headless servers. 448–49 Impersonate. 236 IAS proxy configuration. 3 I H Half-open connections. 37 ICS (Internet Connection Sharing). 192 Hard drive image. 456 High-interaction honeypots. 419 Hyperlink. 437–38 Host-to-Host layer. 363–64 user rights assignment. 208 Generic Routing Encapsulation (GRE). 449 GIDs (group identities). 174 Global catalog. 311 Host bus adapter (HBA). for security. 172 Group transient key (GTK). 451–52 Hidden shares. 175 Guests. 402 G Gateway-to-gateway security. 439 high-interaction. 207 ID. 169–71 Hidden attribute. 110. 160 Global groups. 96 HBA (host bus adapter). 159 Hijacking attacks. 41 Hot site. 3 Identity-based access control. 442 IAS (Internet Authentication Service). 132 encryption. 119 Hexadecimal commands. 152. 151 IEEE. 367 Infrastructure design. 383 Hypertext Markup Language (HTML). 94 Hash functions. 373–74 securing. 209 IKEv2. 312 Image. 174 Group Policy. 265–66 SUS client configuration. 55 Heterogeneous environment. 442 Honeynet Project. 442 legal considerations. 12 remote management security. 442–43 attack prevention and detection. see Institute of Electrical and Electronics Engineers (IEEE) IKE (internet key exchange) protocol. 99 digital signatures. see Intrusion detection (ID) Identification. 121 security templates. 93 Hashes CIA. 443–44 low-interaction. 376–82 Incorrect zone data. 299 HyperTerminal. 442 GPOs. achieving. 252 Groups.INDEX 513 Full backup. 123 Impersonation token. 422–23 Hash collisions. 9. 160 Global catalog servers. 303 Hidden (administrative) shares. 3. 327–28 Home directory. 280 Host-based IDS (HID). 299 Hypertext Transfer Protocol (HTTP). 93–96 examples. 159 GNU General Public License (GNU GPL). 80. 440–41 definition. 236–37 ICMP (Internet Control Message Protocol). 176–77 Honeyd. 13 Information leakage. 284 ICV (integrity check value). 158–61. 441–42 Host.

37 encapsulating security payloads. 61. 35 K Kerberos. 437 Intelligent UPS (uninterruptible power supply). see Internet Protocol (IP) IP address description. 97. 106 IUSR_computername account. 40–41 definition.514 INDEX Infrastructure mode. 287–88 IP within IP. 210–11 creating rules. 208 IPsec VPN clients. 325–26 JavaScript. 204 Key confirmation key (KCK). 326 Joint Photographic Experts Group (JPEG). 4 Institute of Electrical and Electronics Engineers (IEEE). 439 Investigative searching. 38. see Open systems interconnection (OSI) model Issuing CA role. 333 phishing filter. 247–48 Keyed hash functions. See also Hashes Integrity check value (ICV). 239–40 Integrated Windows authentication. 252 Key hierarchy. 242 IV sequencing discipline.11i standard. 242 Inode. 88–90 Vigenere cipher. 176 Input and output devices. 37 Internet Engineering Task Force. 457 prevention systems (IPS). 441 Interactive logon. 67 IP packet filtering. 245 J Java applets. 252 Key distribution center (KDC). 388–89 Interaction. 334–36 Internet Information Services (IIS). 212 definition. 84 802. 299 iSCSI. 434 examples. 248 Key reuse. 212 Internet Explorer cookie policies. 334–35 Internetwork Packet Exchange (IPX). 41. 439 systems (IDS). 7–8. 424 ISO 17799 security standard. 36 Intersite Messaging service (ismServ). 208–09 subnet securing. 209 Internet layer. 368. 214 WINS server security. See also Forensics definition. 39–43 Internet Protocol security. 443 honeypots. 36 TCP/IP model. 438–39 overview. 206–08 IKE protocol. 39 filtering. see IP security (IPsec) Internet Server Application Programming Interface (ISAPI). 205–06 security associations. 434–38 Intrusion detection system (IDS). 236 Internet Connection Sharing (ICS). 291 Intrusion detection (ID). 438. 134–36 Kerberos key distribution center (KDC). 76 DES and stream cipher. 123 IV (Initialization vector). 209 overview. 200 IP security (IPsec) authentication header. 9. 298 IP. 87. 119–20 Intermediate CA role. 284 Internet Control Messaging Protocol (ICMP). 252–53 sharing. 253. 106 Internet Authentication Service (IAS). 78 . 36 ISACA (Information Systems Audit and Control Association). 89 Key block. 292 Kerberos realm. 96 Keys definition. 379 Internet Key Exchange (IKE) protocol. 65 static configuration. 53–55 Insider fraud. 434. 6. 299 Internet zone. 439–44 issues affecting. 367 ISAPI (Internet Server Application Programming Interface). 42 Internet Protocol (IP) address network classes. 206 configuration. 20–23 ISO OSI model. 164 Initialization vector (IV). 240 Inherited permissions. 207 Intelligent agents. 136 Key encryption key (KEK). 234 IPX (Internetwork Packet Exchange). 11. 342 zones. 199–200 network address translation. 434–38 Intrusion prevention systems (IPS). 124 Integrity. 134 Key agreement protocol.

223 Linux BIND name server. 42 Network Access. 223 Link establishment phase. 31 Layers. 233–34. 41 Internet. 311–12 web browser security. 131–34 last command. 158 MMC (Microsoft Management Console). 385 Mandatory access control (MAC). 409–10 Melissa (virus). 311. 303 Limiting the attack surface. 335–36 Local Service account. 241 Macro Virus Protection. 316 secure baseline configuration. 42–43 Host-to-Host. 38 Presentation. 37 Media Access. 312 Manage Documents permission. 34. 13 LIFO (Last-in-first-out). 448 Michael. 450–51 Logging programs. 36–37 Physical. 37–38 Logical Link. 52 Local System account. 311–12 Message Integrity Code (MIC). 401 Modem serial connection. 41 LC5 (L0phtrack). 377–78 Mobile (rolling) backup. 50 Link Control Protocol (LCP). 89. 346. 231–32 MIME (Multipurpose Internet Mail Extensions). 176 L L0phtrack (LC5). see Web browser security workstation. 350 spyware. 93. 312 Mail proxy. ISO OSI model Data Link. 381 Microsoft Outlook. 314 Trojan horses. 322. 171. 127 L2TP (Layer 2 Tunneling Protocol). 34 Mitigation of risk. 151–52 MAC (Media Access Control) address. 347 Malcode. 369 Last-in-first-out (LIFO). 337–39. 272–73 LMHosts file. see Security management (ongoing). 127. see Keystroke logging programs Logic bombs. 127 LCP (Link Control Protocol). 347 Mail relay. 37 Network. 386–87 . 277–78 malware programs. 42 Transport. 287 Local intranet zones. 151–52 Man-in-the-middle attack. 313 Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). 233–34. 441–42 ls command. 293–94 Manage Printer permission. 132 LAN Manager-based protocols. 235 LAN Manager protocol. 336–49 examples. XXX Michaelango (virus). 315. 41 encapsulation. 318 Management. 344 Level of criticality. 340 MasterSecret. 225–26 Microsoft Exchange. 8. 225 Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2). 226 Media Access Control (MAC) address. Updates. 314 Knoppix permissions. 368 Layer 2 Tunneling Protocol (L2TP). 294 Managed computer. 52 Log files. 443–44 Letter salad. 93. 247 Message-Digest algorithm 5 (MD5). 315–22 worms. 203. 313 Logical Link layer. 181 Knowledge-based IDS. 348 Microsoft Passport. 235 Layered architecture. 35 Transport. 37 Media for backups. 34 Media Access layer. 369 lastcomm command.INDEX 515 Keystroke logging programs. 205 MD5 (Message-Digest algorithm 5). 123–24 Microsoft Point-to-Point Encryption (MPPE). 435 Low-interaction honeypots. 34–35 Session. TCP/IP model Application. 16–19 Mixed mode domain. 312–13 viruses. 349 overview. 35 Layers. 245–46. 37 M MAC (mandatory access control). 223 Legal issues and honeypot deployment. managing Management computer. 448 MD5-Challenge. 303 lastlog command. see Malware protection Malware protection email security. 349 Microsoft NetMeeting.

276 N n and n-1. 385 Nyxem Worm. 87 P Packet checksums. 8 overview. 275. 35 Network infrastructure servers. security requirements. 418 Naive Bayes classifier. 10 NSA (National Security Agency). See also Auditing Monitors. 49.516 INDEX Modems. 327. 52 Network stack. 158 NAT-Traversal. 381 Netstat. 10 Nonrepudiation of origin. 87 Nonpersistent cookie. 33 Network security examples. 123–24 Net share command. 234 NCP (Network Control Protocol). 224 Open access point. 10. 332 Outlook postmark. 265–66 Originating domain.NET Passport. 20 integrity. 171 NetBIOS applications. 332 Nonrepudiation. 24 traffic requirements. 128 One-way-hash. 231–32 MS-CHAP (Microsoft Challenge Handshake Authentication Protocol). 435. 275 Multipurpose Internet Mail Extensions (MIME). 88 ntbackup. See also Emergency Management Services (EMS) Output and input devices. 42 Network access server (NAS). 436–37 newgrp command. 223 Network File System (NFS). 53–55 Output feedback (OFB). 133 NTLMv2 protocol. 5. 238 NAT (Network Address Translation) servers. 378 Packet sniffer. 51. 225 MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol Version 2). 401 Mutual authentication. 303 NIST (National Institute of Standards and Technology). 21 Organizational security policy. 87 Off-site backup. 275. 44. 368. 10 Nonrepudiation of delivery. 88 Native mode domain. 45. 55 Moving Picture Experts Group (MPEG). 254 Open Shortlist Path First (OSPF). 54 Network Address Translat